Researchers at Rapid7 today disclosed a critical zero-day vulnerability in Fortinet's FortiWeb Web application firewall (WAF) technology that attackers can exploit to gain complete control of affected devices.

The OS command injection vulnerability — a flaw that allows attackers to execute commands on the host operating system — exists in versions 6.3.11 and prior of FortiWeb's Web management interface.

An attacker with authenticated access to the interface can abuse the flaw to execute a variety of actions with the highest possible privileges on the system, including installing a persistent shell and deploying crypto-mining software or other malware. In situations where an organization might have exposed the management interface to the Internet, an attacker could abuse the flaw to breach the network beyond the DMZ, Rapid7 warns.

No patch is currently available for the flaw. Rapid7 recommends that organizations using vulnerable versions of the technology disable the device management interface from all untrusted networks, including the Internet, and make sure it is reachable only via VPN or through trusted internal networks.

Tod Beardsley, director of research at Rapid7, says the company publicly released details of the zero-day flaw in accordance with its policies for responsible disclosure. 

"We tend to stick to a 60-day minimum for disclosing issues," Beardsley says. "Unfortunately, we hadn't heard back from Fortinet after 66 days or so." Shortly after the flaw was disclosed, he says, Fortinet indicated it would release a fix by the end of August.

A spokeswoman from Fortinet says the company is working on immediate notification of a workaround for customers and plans to have a patch as soon as the end of this week. Fortinet's own policies when dealing with vulnerability disclosures by third-party security researchers stipulates a 90-day responsible disclosure window, she says. 

"We regret that in this instance individual research was fully disclosed without adequate notification prior to the 90-day window," the spokeswoman says.

According to Rapid7, the newly disclosed flaw appears related to another OS command injection flaw (CVE-2021-22123) that Fortinet patched on June 1. As with the new flaw, the previous issue also gave remote authenticated attackers a way to execute arbitrary commands on impacted systems via the SAML server configuration page.

The flaw disclosed this week allows an authenticated attacker to smuggle malicious commands on an impacted device using backtick — or command substitution — symbols in the "Name" field of the SAML Server configuration page. In programming, any command that is placed between a pair of backticks is executed first by the shell, and the output is then used as part of the actual or main command. Rapid7 included an exploit of the vulnerability to demonstrate how it works.

Beardsley says the new flaw in FortiWeb's management interface is a post-authentication flaw, which means attackers need to have some level of previous access to the device to exploit it. 

"But the vulnerability itself allows an authenticated Web application user to promote themselves to root-level access on the host operating system," he notes. "This grants the attacker significantly better access to more than just FortiWeb. They can control the underlying operating system directly, so that opens the door to installing other, malicious applications on the device."

In addition, the vulnerability could also be combined with other vulnerabilities, such as CVE-2020-29015, a blind SQL injection flaw in the user interface of some versions of FortiWeb that allow attackers to bypass authentication measures, Rapid7 said.

Researchers have uncovered multiple vulnerabilities in Fortinet's FortiWeb WAF over the past several months. Early this year, researchers from Positive Technologies disclosed four vulnerabilities of varying severity in FortiWeb. Among them were a SQL injection flaw and a buffer overflow issue that allowed remote code execution. In June, Positive Technologies reported another command injection vulnerability in the FortiWeb management interface that enabled remote code execution attacks on impacted devices. Fortinet has issued patches for all these flaws.