A critical security bug in a web application firewall (WAF) platform has been disclosed. It could allow privilege escalation and full device takeover. The bug, in the FortiWeb platform, is found in a WAF OS command-injection vulnerability. A patch will be available at the end of the month.
FortiWeb is a cybersecurity defense platform that protects business-critical web applications from attacks and vulnerabilities in the new world of cloud computing. It’s always been able to keep up with new technologies, such as the deployment of new or updated features, or the addition of new web APIs.
The bug (CVE pending) exists in FortiWeb’s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.
“Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as CVE-2020-29015,” according to a Tuesday writeup on the issue.
“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” according to the writeup. “They might install a persistent shell, crypto mining software, or other malicious software.”
The researchers said that the vulnerability appears to be related to CVE-2021-22123, which was patched in June.