Attackers could gain full control over the firewall server; Fortinet has fixed the flaw.
Positive Technologies researcher, Andrey Medov has discovered a vulnerability in the Fortinet FortiWeb firewall, designed to protect web applications from web attacks. Fortinet, which ranks first in terms of the number of information security products sold and provides cybersecurity to more than 500,000 customers worldwide, thanked Medov in a security advisory issued that patches the flaw.
This vulnerability, assigned CVE-2021-22123 and a CVSSv3 score of 7.4, is highly dangerous.
Andrey Medov explains: "The command injection vulnerability in the FortiWeb management interface may allow an authenticated remote attacker to execute arbitrary commands in the system via the SAML 1 server configuration page. Executing commands with maximum privileges will result in the attacker gaining full control over the server. If, as a result of incorrect configuration, the firewall administration interface is available on the Internet, and the product itself is not updated to the latest versions, then the combination of CVE-2021-22123 and CVE-2020-29015 that Positive Technologies discovered earlier may allow an attacker to penetrate the internal network."
To fix the vulnerability, update FortiWeb 6.3.7 (and earlier), 6.2.3 (and earlier), 6.1.x, 6.0.x, or 5.9.x to versions 6.3.8 or 6.2.4 (depending on the build used).
In February 2021, Fortinet fixed four vulnerabilities in FortiWeb discovered by Andrey Medov.
Vulnerability management systems, such as MaxPatrol VM, can automate the detection and prioritization of such vulnerabilities. To detect signs of penetration (for example, if an update cannot be installed), use SIEM solutions (in particular, MaxPatrol SIEM), which help identify suspicious behavior on the server, register an incident, and prevent the intruders from moving laterally within the corporate network in a timely manner.
- SAML is an open standard for the exchange of authentication and authorization data between participants, designed to ensure the operation of a Single Sign-On mechanism, which allows you to access various software products using a single identifier.