Fortinet has fixed multiple severe vulnerabilities impacting its products.
The vulnerabilities range from Remote Code Execution (RCE) to SQL Injection, to Denial of Service (DoS) and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products.
Some vulnerabilities reported 2 years ago
Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.
Some of these vulnerabilities shown below had been previously reported in other Fortinet products but were fixed only recently in FortiProxy SSL VPN versions shown below.
| CVE ID | Vulnerability type | Impacted products | Fixed versions | Date first published | Date Fixed |
| CVE-2018-13383 | DoS, RCE | FortiProxy SSL VPN 2.0.0 and below, 1.2.8 and below, 1.1.6 and below, 1.0.7 and below. | FortiProxy SSL VPN >= 2.0.1 and >= 1.2.9. | April 2, 2019 | February 1, 2021 |
| CVE-2018-13381 | DoS | FortiProxy SSL VPN 2.0.0 and below, 1.2.8 and below, 1.1.6 and below, 1.0.7 and below. | FortiProxy SSL VPN >= 2.0.1 and >= 1.2.9. | May 17, 2019 | February 1, 2021 |
| CVE-2020-29015 | SQL Injection | FortiWeb 6.3.7 and below, 6.2.3 and below. | FortiWeb >= 6.3.8, >= 6.2.4 | Jan 4, 2021 | Jan 4, 2021 |
| CVE-2020-29016 | RCE | FortiWeb 6.3.5 and below, 6.2.3 and below | FortiWeb >= 6.3.6, >= 6.2.4 | Jan 4, 2021 | Jan 4, 2021 |
| CVE-2020-29017 | RCE | FortiDeceptor 3.1.0 and below, 3.0.1 and below. | FortiDeceptor >= >= 3.2.0, 3.1.1, >= 3.0.2 | Jan 4, 2021 | Jan 4, 2021 |
| CVE-2020-29018 | RCE | FortiWeb 6.3.5 and below | FortiWeb >= 6.3.6 | Jan 4, 2021 | Jan 4, 2021 |
| CVE-2020-29019 | DoS | FortiWeb 6.3.7 and below, 6.2.3 and below | FortiWeb >= 6.3.8, >= 6.2.4 | Jan 4, 2021 | Jan 4, 2021 |
Of particular note is the vulnerability CVE-2018-13381 in FortiProxy SSL VPN that can be triggered by a remote, unauthenticated actor through a crafted POST request.
Due to a buffer overflow in the SSL VPN portal of FortiProxy, a specially crafted POST request of large size, when received by the product is capable of crashing it, leading to a Denial of Service (DoS) condition.
Likewise, CVE-2018-13383 is interesting in that an attacker can abuse it to trigger an overflow in the VPN via JavaScript's HREF content property.
Should an attacker-crafted webpage containing the JavaScript payload be parsed by FortiProxy SSL VPN, remote code execution is possible, in addition to DoS.
Whereas, vulnerabilities made public in January 2021, make SQL Injection, RCE, and DoS possible in various ways.
Vulnerabilities in FortiWeb Web Application Firewall were discovered and responsibly reported by researcher Andrey Medov at Positive Technologies.
"The most dangerous of these four vulnerabilities are the SQL Injection (CVE-2020-29015) and Buffer Overflow (CVE-2020-29016) as their exploitation does not require authorization."
"The first allows you to obtain the hash of the system administrator account due to excessive DBMS user privileges, which gives you access to the API without decrypting the hash value."
"The second one allows arbitrary code execution. Additionally, the format string vulnerability (CVE-2020-29018) also may allow code execution, but its exploitation requires authorization," says Medov in a blog post.
Additionally, Meh Chang and Orange Tsai of the DEVCORE Security Research Team have been credited for responsibly reporting the flaws in FortiProxy SSL VPN.
Whereas, FortiDeceptor RCE vulnerability was reported by Chua Wei Kiat.
Critical vulnerabilities rated as "Medium"
It is worth noting many of these vulnerabilities have been rated by the NVD as having a High or Critical severity rating, in accordance with CVSS 3.1 scoring guidelines.
However, it is not clear why these flaws are marked as posing a medium threat in advisories published by FortiGuard Labs.
For example, the blind SQL injection security flaw in FortiWeb can be exploited by an unauthenticated actor to execute arbitrary SQL queries or commands via web requests that have malicious SQL statements injected in the Authorization header.
That is possibly why it was assigned a Critical severity with a CVSS 3.1 score of 9.8 by the NVD, as opposed to a Medium (6.4) score reported by Fortinet.
BleepingComputer has observed similar scoring discrepancies for other Fortinet vulnerabilities as well.
Last year, as reported by BleepingComputer, hackers had posted a list of almost 50,000 vulnerable Fortinet VPNs with a years old Path Traversal flaw.
Some of these VPNs were in active use by governments, telecoms, banks, and financial organizations around the world.
As a result of this list having been made public, the same week, another threat actor had posted plain text credentials of these 50,000 VPNs on hacker forums.
Fortinet customers are therefore advised to upgrade to fixed versions of their products as soon as possible to protect against such critical vulnerabilities.
Comments
doriel - 3 years ago
So.. Is the FortiClient affected/vulnerable still, if those holes were patched only in FortiWeb and FortiProxy?
MeowserKat - 3 years ago
What version(s) of the Firewall firmware include the patch releases of these vulnerabilities?
doriel - 3 years ago
I think Firewall was not patched yet. According to this sentence:
Some of these vulnerabilities shown below had been previously reported in other Fortinet products but were fixed only recently in FortiProxy SSL VPN versions shown below.
No Firewall mentioned there.. Neither FortiClient which we use.