Skip links

Researchers find high-severity command injection vuln in Fortinet’s web app firewall

A command injection vulnerability exists in Fortinet’s management interface for its FortiWeb web app firewall, according to infosec firm Rapid7.

An authenticated attacker can use the vuln to execute commands as root on the Fortiweb device, Rapid7 said in a blog post.

By using backticks “in the ‘name’ field of the SAML Server configuration page,” attackers can bypass controls – though obtaining access to the firewall itself first can be a non-trivial obstacle for attackers to overcome. Nonetheless, the vuln is rated 8.7 on the CVSSv3 scale.

“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” said Rapid7. “They might install a persistent shell, crypto mining software, or use the compromised platform to reach into the affected network beyond the DMZ.”

The researchers said they’d received word that Fortiweb 6.4.1 would include a fix. The update will be released at the end of August. Fortinet’s PSIRT (product security incident response team) page was last updated on 3 August.

Mitigating the vuln in the absence of a patch is straightforward; ensure the management interface isn’t accessible from untrusted networks, such as the wider internet.

Bleeping Computer reported some mild controversy about the timing of the disclosure; Rapid7 alleged it had been left hanging for a month by Fortinet after reporting the vuln, while Fortinet claimed Rapid7 had breached Fortinet’s own vuln reporting guidelines by disclosing it within 90 days. We’ve asked Fortinet for comment and for a timeline on the patch; we will update this article if we hear back from the firm.

Using backticks to “smuggle commands” onto a vulnerable device, as Rapid7 put it, is a fairly old penetration technique. In 2019, The Register revealed that a series of Huawei routers used for years in the UK were vulnerable to command injection attacks using backticks in a similar fashion. Back in 2013, Sophos had to patch a similar web firewall appliance after researchers identified that a function in a Perl script failed to fully escape a script argument prior to executing it – meaning backticks could be used to insert extra commands.

In July, Fortinet disclosed a remote code execution vuln in some of its software products that it patched. The firm’s VPN product is a favourite target of hostile foreign nations’ cyber-attack squads, as we reported earlier this year. ®