===================================================================== CERT-Renater Note d'Information No. 2021/VULN061 _____________________________________________________________________ DATE : 03/02/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FortiWeb versions prior to 7.0.0, 6.4.2, 6.3.17, 6.2.7. ===================================================================== https://fortiguard.fortinet.com/psirt/FG-IR-21-158 https://fortiguard.fortinet.com/psirt/FG-IR-21-132 https://fortiguard.fortinet.com/psirt/FG-IR-21-166 https://fortiguard.fortinet.com/psirt/FG-IR-21-180 _____________________________________________________________________ FortiWeb - arbitrary file/directory deletion IR Number : FG-IR-21-158 Date : Feb 1, 2022 Risk : 4/5 CVSSv3 Score : 7.7 Impact : Execute unauthorized code or commands CVE ID : CVE-2021-42753 Affected Products: FortiWeb: 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.9.1, 5.9.0, 5.8.7, 5.8.6, 5.8.5, 5.8.3, 5.8.2, 5.8.1, 5.8.0 Summary An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem. Affected Products FortiWeb 6.4.1 and below. FortiWeb 6.3.15 and below. FortiWeb 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x. Solutions Please upgrade to FortiWeb 6.4.2 or above. Please upgrade to FortiWeb 6.3.16 or above. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team. _____________________________________________________________________ FortiWeb - Stack-based buffer overflow in command line interpreter IR Number : FG-IR-21-132 Date : Feb 1, 2022 Risk : 4/5 CVSSv3 Score : 6.3 CVE ID : CVE-2021-36193 Affected Products: FortiWeb: 6.4.2, 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.16, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.9.1, 5.9.0, 5.8.7, 5.8.6, 5.8.5, 5.8.3, 5.8.2, 5.8.1, 5.8.0, 5.7.3, 5.7.2, 5.7.1, 5.7.0, 5.6.2, 5.6.1, 5.6.0, 5.5.7, 5.5.6, 5.5.5, 5.5.4, 5.5.3, 5.5.2, 5.5.1, 5.5.0, 5.4.1, 5.4.0, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0 Summary Multiple stack-based buffer overflows [CWE-121] in the command line interpreter of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands. Affected Products FortiWeb 6.4.1 and earlier. FortiWeb 6.3.15 and earlier. FortiWeb 6.2.5 and earlier. FortiWeb 6.1.2 and earlier. FortiWeb 6.0.7 and earlier. All FortiWeb versions 5.x are also affected. Solutions Upgrade to FortiWeb 6.4.2 and later. Upgrade to FortiWeb 6.3.16 and later. Upgrade to FortiWeb 6.2.6 and later. Fixes for older versions to be confirmed. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team. _____________________________________________________________________ FortiWeb - OS command injection due to unsafe input validation function IR Number : FG-IR-21-166 Date : Feb 1, 2022 Risk : 4/5 CVSSv3 Score : 8.3 Impact : Execute unauthorized code or commands CVE ID : CVE-2021-41018 Affected Products: FortiWeb: 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0 Language : English Portuguese Summary An improper neutralization of special elements used in an OS command vulnerability ('OS Command Injection') [CWE-78] in FortiWeb may allow authenticated users to execute unauthorized code or commands via crafted HTTP GET requests to WAD configuration handlers. Affected Products FortiWeb version 6.4.1 and below FortiWeb version 6.3.15 and below FortiWeb version 6.2.6 and below Solutions Upgrade to the upcoming FortiWeb version 7.0.0 or above Upgrade to FortiWeb version 6.4.2 or above Upgrade to FortiWeb version 6.3.16 or above Upgrade to FortiWeb version 6.2.7 or above Acknowledgement Internally discovered and reported by Mattia Fecit of the Fortinet Product Security team _____________________________________________________________________ FortiWeb - OS command injection due to direct input interpolation in API controllers IR Number : FG-IR-21-180 Date : Feb 1, 2022 Risk : 4/5 CVSSv3 Score : 8.3 Impact : Execute unauthorized code or commands CVE ID : CVE-2021-43073 Affected Products: FortiWeb: 6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.16, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.1.2, 6.1.1, 6.1.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.9.1, 5.9.0, 5.8.7, 5.8.6, 5.8.5, 5.8.3, 5.8.2, 5.8.1, 5.8.0 Language : English Portuguese Summary An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute arbitrary code or commands via crafted HTTP requests to ApplicationDelivery, JsonProtection and WebProtection controllers. Affected Products FortiWeb version 6.4.1 and below FortiWeb version 6.3.16 and below FortiWeb version 6.2.6 and below Solutions Upgrade to the upcoming FortiWeb version 7.0.0 or above Upgrade to FortiWeb version 6.4.2 or above Upgrade to FortiWeb version 6.3.17 or above Upgrade to FortiWeb version 6.2.7 or above Fix for FortiWeb versions 6.1, 6.0, 5.9 to be confirmed. Acknowledgement Internally discovered and reported by Mattia Fecit of Fortinet Product Security team. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================