In other words, there is an OS command injection vulnerability in FortiWeb’s management interface (version 6.3.11 and prior) which could allow remote, authenticated attacks via the SAML server configuration page. The flaw was discovered by Rapid7 security researcher William Vu. It is noteworthy that the vulnerability is related to a previous vulnerability, known as CVE-2021-22123.
First of all, what is Fortinet FortiWeb?
Fortinet FortiWeb is a web application firewall (WAF) that captures both known and unknown exploits targeting the protected web applications before they have a chance to execute.
However, the vulnerability enables an attack, who is authenticated to the management interface of the device, to push commands via backticks in the “Name” field of the SAML server configuration page. As a result of the flaw, the commands will be executed as the root user of the OS.
What is the impact of the FortiWeb vulnerability?
“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” Rapid7 says. The exploitation of the flaw could lead to the installation of a persistent shell, cryptomining software or any other malicious program.
“In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ,” the researchers warn.
Since a patch is not available, users should disable the FortiWeb device’s management interface from untrusted networks, including the internet.