threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/unpatched-fortinet-bug-firewall-takeovers/168764/
Submission: On August 21 via api from US
Submission: On August 21 via api from US
Form analysis 4 forms found in the DOM
POST /unpatched-fortinet-bug-firewall-takeovers/168764/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/unpatched-fortinet-bug-firewall-takeovers/168764/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
<div class="o-col-12@md">
<div class="c-form-element c-checkbox-wrapper"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"><label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the
next time I comment.</label></div>
</div>
</div>
<p class="comment-form-checkbox c-form-element c-checkbox-wrapper"><input type="checkbox" value="1" name="subscribe" id="subscribe"><label for="subscribe">Notify me when new comments are added.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="168764" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="1eee24c50f"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="sMdjVnvVZXtPieUE0dCq0VASo" name="ggZllAc62rU1VHxNehdn47amC">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1629506656052">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Podcasts
*
*
*
*
*
*
*
Search
* HolesWarm Malware Exploits Unpatched Windows, Linux Servers Previous
article
* Kerberos Authentication Spoofing: Don’t Bypass the SpecNext article
UNPATCHED FORTINET BUG ALLOWS FIREWALL TAKEOVERS
Author: Tara Seals
August 18, 2021 8:07 am
3 minute read
Write a comment
Share this article:
*
*
The OS command-injection bug, in the web application firewall (WAF) platform
known as FortiWeb, will get a patch this week.
UPDATE
An unpatched OS command-injection security vulnerability has been disclosed in
Fortinet’s web application firewall (WAF) platform, known as FortiWeb. It could
allow privilege escalation and full device takeover, researchers said.
FortiWeb is a cybersecurity defense platform, aimed at protecting
business-critical web applications from attacks that target known and unknown
vulnerabilities. The firewall has been to keep up with the deployment of new or
updated features, or the addition of new web APIs, according to Fortinet.
The bug (CVE pending) exists in FortiWeb’s management interface (version 6.3.11
and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it
high-severity. It can allow a remote, authenticated attacker to execute
arbitrary commands on the system, via the SAML server configuration page,
according to Rapid7 researcher William Vu who discovered the bug.
“Note that while authentication is a prerequisite for this exploit, this
vulnerability could be combined with another authentication-bypass issue, such
as CVE-2020-29015,” according to a Tuesday writeup on the issue.
Once attackers are authenticated to the management interface of the FortiWeb
device, they can smuggle commands using backticks in the “Name” field of the
SAML Server configuration page. These commands are then executed as the root
user of the underlying operating system.
“An attacker can leverage this vulnerability to take complete control of the
affected device, with the highest possible privileges,” according to the
writeup. “They might install a persistent shell, crypto mining software, or
other malicious software.”
The damage could be worse if the management interface is exposed to the
internet: Rapid7 noted that attackers could pivot to the wider network in that
case. However, Rapid7 researchers identified less than three hundred appliances
that appeared to be doing so.
In the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP
POST request and response.
In light of the disclosure, Fortinet has sped up plans to release a fix for the
problem with FortiWeb 6.4.1 — originally planned for the end of August, it will
now be available by the end of the week.
“We are working to deliver immediate notification of a workaround to customers
and a patch released by the end of the week,” it said in a statement provided to
Threatpost.
The firm also noted that Rapid7’s disclosure was a bit of a surprise given
vulnerability-disclosure norms in the industry.
“The security of our customers is always our first priority. Fortinet recognizes
the important role of independent security researchers who work closely with
vendors to protect the cybersecurity ecosystem in alignment with their
responsible disclosure policies. In addition to directly communicating with
researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT
Policy page, which includes asking incident submitters to maintain strict
confidentiality until complete resolutions are available for customers. As
such, we had expected that Rapid7 hold any findings prior to the end of the
our 90-day Responsible disclosure window. We regret that in this instance,
individual research was fully disclosed without adequate notification prior to
the 90-day window.”
For now, Rapid7 offered straightforward advice:
“In the absence of a patch, users are advised to disable the FortiWeb device’s
management interface from untrusted networks, which would include the internet,”
according to Rapid7. “Generally speaking, management interfaces for devices like
FortiWeb should not be exposed directly to the internet anyway — instead, they
should be reachable only via trusted, internal networks, or over a secure VPN
connection.”
The Rapid7 researchers said that the vulnerability appears to be related to
CVE-2021-22123, which was patched in June.
FORTINET: POPULAR FOR EXPLOIT
The vendor is no stranger to cybersecurity bugs in its platforms, and Fortinet’s
cybersecurity products are popular as exploitation avenues with cyberattackers,
including nation-state actors. Users should prepare to patch quickly.
In April, the FBI and the Cybersecurity and Infrastructure Security Agency
(CISA) warned that various advanced persistent threats (APTs) were actively
exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage.
Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 were being used
for to gain a foothold within networks before moving laterally and carrying out
recon, they warned.
One of those bugs, a Fortinet vulnerability in FortiOS, was also seen being used
to deliver a new ransomware strain, dubbed Cring, that is targeting industrial
enterprises across Europe.
This post was updated August 18 at 1:30 p.m. ET with a statement from Fortinet.
Write a comment
Share this article:
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
HOW READY ARE YOU FOR A RANSOMWARE ATTACK?
Oliver Tavakoli, CTO at Vectra, lays out the different layers of ransomware
defense all companies should implement.
August 19, 2021
CRITICAL CISCO BUG IN SMALL BUSINESS ROUTERS TO REMAIN UNPATCHED
The issue affects a range of Cisco Wireless-N and Wireless-AC VPN routers that
have reached end-of-life.
August 19, 2021
INKYSQUID STATE ACTOR EXPLOITING KNOWN IE BUGS
The North Korea-linked APT group leverages known Internet Explorer vulns for
watering-hole attacks.
August 19, 2021
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Save my name, email, and website in this browser for the next time I comment.
Notify me when new comments are added.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* HOW READY ARE YOU FOR A RANSOMWARE ATTACK?
August 19, 2021
* KERBEROS AUTHENTICATION SPOOFING: DON’T BYPASS THE SPEC
August 18, 2021
* THE OVERLOOKED SECURITY RISKS OF THE CLOUD
August 17, 2021
1
* 5 STEPS TO IMPROVING RANSOMWARE RESILIENCY
July 23, 2021
2
* WHY YOUR BUSINESS NEEDS A LONG-TERM REMOTE SECURITY STRATEGY
July 20, 2021
1
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Critics aren’t pleased with the T-Mobsketeers: “@TMobile left a gate left wide
open for attackers” & the 2-yr ID pr… https://t.co/AYtOXfLnHr
2 days ago
Follow @threatpost
NEXT 00:02 01:22 360p 720p HD 1080p HD Auto (360p) About Connatix V126868 Closed
Caption About Connatix V126868 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE