The OS command-injection bug that affected FortiWeb’s web application firewall will be getting a patch this week, Fortinet reported, after initially announcing the fix would be coming at the end of August.
The issue (CVE pending) could lead to privilege escalation and full device takeover.
FortiWeb is a popular web security defense platform (a web application firewall, or WAF) that provides protection for business-critical web applications against known and unknown attacks.
The FortiWeb management interface (version 6.3.11 and prior) has a high-severity bug that can allow remote attackers to execute arbitrary commands, via the SAML server configuration page, according to William Vu, a Rapid7 researcher who discovered the bug.
“Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as CVE-2020-29015,” according to a Tuesday write-up on the issue.
Once authenticated, attackers can execute arbitrary commands by using backticks in the “Name” field of the SAML Server configuration page.
“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” according to the blog post. “They might install a persistent shell, crypto mining software, or other malicious software.”
If a management interface is exposed to the Internet, this could result in even greater damage, according to Rapid7 researchers.
In the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request and response.
Due to the release of the PoC exploit and disclosure regarding the FortiWeb vulnerability, Fortinet has sped up the release of its fix for the issue, which is now expected by the end of the week.
“We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week,” it said in a statement to Threatpost.
