Companies using the FortiWeb web application firewall (WAF) should only make the web-based management interface accessible to trustworthy sources and, above all, ensure that it cannot be accessed via the Internet. This – generally very good – recommendation is particularly important at the moment because FortiWeb OS in all versions up to and including 6.3.11 has a remotely exploitable vulnerability.
The gap is expected to be available at the end of August Fortiweb OS 6.4.1 getting closed. The fact that their discoverers have already published exploit code makes it all the more urgent to install the update quickly.
Attack requires authentication
The vulnerability, which was discovered by researchers at Rapid7, has not yet been assigned a CVE ID. The CVSS score is 8.7 (“High”). It is a possibility of command injection on the SAML server configuration site of the web interface.
Assuming interface access and successful login with normal user rights, attackers could “smuggle” commands into a field in the configuration area and transmit them to the server using a specific syntax. These would then be executed with root, i.e. the highest possible rights. A blog entry by Rapid7 explains the exploit process in great detail using an example.
Dispute over “Responsible” Disclosure
According to a timeline in the blog entry, Rapid7 informed Fortinet of the security vulnerability on June 10; the blog entry and exploit code were then published on August 17th. A Fortinet spokesman told ZDNet that a time window of 90 days was assumed in which the company would have the opportunity to develop a patch before details were published.
In fact, 90 days is a common framework for the Responsible Disclosure process, which is granted, for example, by Google’s Project Zero. With the Zero Day Initiative (ZDI) it is even 120 days. And Fortinet’s own research team also gives other companies 90 days to provide updates for their products, according to its Disclosure Policy.
Fortinet is now working flat out on the secured FortiWeb OS version. In the meantime, users should secure the management interface as described above (with access only from the internal network or VPN, for example) and keep an eye on Fortinet’s PSIRT advisories for further information.
Update 08/19/21, 9:48 am: Fortinet has now published an advisory that contains more detailed information on the affected FortiWeb OS and the planned updates: