According to the researcher who located them, many potentially serious vulnerabilities found in Fortinet’s FortiWeb web application firewall (WAF) may expose corporate networks to attacks.
This week, Fortinet told clients about patch availability for a total of four vulnerabilities affecting its FortiWeb product. The vulnerabilities can be abused for denial-of-service (DoS) attacks and to execute unauthorised code or commands, according to advice published by the company.
They have been given the CVE identifiers CVE-2020-29015, CVE-2020-29016, CVE-2020-29019 and CVE-2020-29018.
Three of the bugs, identified as a problem with SQL injection and two buffer overflows, can be abused without authentication by a remote attacker. Fortinet, though, assigned them only a CVSS score of 6.4 (medium severity) and a 3/5 risk grade.
Andrey Medov, Optimistic Technologies’ lead security researcher, who found the bugs, told that he does not comply with the evaluation of Fortinet.
“We believe that the severity is more critical than the vendor’s assigned score,” said Medov. “CVE-2020-29016, for instance, will allow code execution, a danger normally graded very high, such as 9.8. It is very likely that it will be abused, so we will not give it a 3 out of 5, but a 5 out of 5 on this flat scale. In comparison, 3 out of 4 of the bugs we found do not require permission for attackers to exploit them, suggesting they are very important.
The bugs were noticed in the management interface of FortiWeb.
“The attacker can exploit the vulnerabilities and further develop attacks on the corporate network if the admin panel is accessed from outside an enterprise,” Medov clarified.
The investigator said the process of vulnerability disclosure took 120 days.
Considering that threat actors, including those connected to nation states, have been found to exploit vulnerabilities in Fortinet devices, it is critical that users deploy the available patches as soon as possible.