HC3 TLP White Sector Alert FORTIWEB Zero-Day Vulnerability - August 19, 2021

A zero-day command injection vulnerability has been identified in Fortinet’s FortiWeb web application firewall (WAF) and effects versions 6.3.11 and earlier. This OS Command injection vulnerability allows remote, authenticated attackers, to execute arbitrary commands on the system through the SAML server configuration page allowing for full compromise of the system and the potential for further compromise of the enterprise network. Fortinet will be releasing a patch on or about August 20, 2021 which is intended to fix this vulnerability. HC3 recommends all HPH sector entities test and apply the FortiWeb Firewall patch to any vulnerable system as soon as it becomes available.

Report

A researcher recently reported the FortiWeb WAF zero-day vulnerability, which has yet to receive a CVE ID, that impacts Fortinet FortiWeb versions 6.3.11 and earlier. The OS Command injection vulnerability in FortiWeb's management interface allows an authenticated attacker to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page remotely. This is an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') and has a CVSSv3 base score of 8.7. This vulnerability is related to CVE-2021-22123, which was addressed in FG-IR-20-120.

View the entire report below.