Fortinet fixes critical vulnerabilities in SSL VPN and web firewall

Fortinet has fixed multiple severe vulnerabilities impacting its products.

The vulnerabilities range from Remote Code Execution (RCE) to SQL Injection, to Denial of Service (DoS) and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products.

Some vulnerabilities reported 2 years ago

Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.

Some of these vulnerabilities shown below had been previously reported in other Fortinet products but were fixed only recently in FortiProxy SSL VPN versions shown below.

CVE IDVulnerability typeImpacted productsFixed versionsDate first publishedDate Fixed
CVE-2018-13383DoS, RCEFortiProxy SSL VPN 2.0.0 and below, 1.2.8 and below, 1.1.6 and below, 1.0.7 and below.FortiProxy SSL VPN >= 2.0.1 and >= 1.2.9.April 2, 2019February 1, 2021
CVE-2018-13381DoSFortiProxy SSL VPN 2.0.0 and below, 1.2.8 and below, 1.1.6 and below, 1.0.7 and below.FortiProxy SSL VPN >= 2.0.1 and >= 1.2.9.May 17, 2019February 1, 2021
CVE-2020-29015SQL InjectionFortiWeb 6.3.7 and below, 6.2.3 and below.FortiWeb >= 6.3.8, >= 6.2.4Jan 4, 2021Jan 4, 2021
CVE-2020-29016RCEFortiWeb 6.3.5 and below, 6.2.3 and belowFortiWeb >= 6.3.6, >= 6.2.4Jan 4, 2021Jan 4, 2021
CVE-2020-29017RCEFortiDeceptor 3.1.0 and below, 3.0.1 and below.FortiDeceptor >= >= 3.2.0, 3.1.1, >= 3.0.2Jan 4, 2021Jan 4, 2021
CVE-2020-29018RCEFortiWeb 6.3.5 and belowFortiWeb >= 6.3.6Jan 4, 2021Jan 4, 2021
CVE-2020-29019DoSFortiWeb 6.3.7 and below, 6.2.3 and belowFortiWeb >= 6.3.8, >= 6.2.4Jan 4, 2021Jan 4, 2021

Of particular note is the vulnerability CVE-2018-13381 in FortiProxy SSL VPN that can be triggered by a remote, unauthenticated actor through a crafted POST request.

Due to a buffer overflow in the SSL VPN portal of FortiProxy, a specially crafted POST request of large size, when received by the product is capable of crashing it, leading to a Denial of Service (DoS) condition.

Likewise, CVE-2018-13383 is interesting in that an attacker can abuse it to trigger an overflow in the VPN via JavaScript’s HREF content property.

Should an attacker-crafted webpage containing the JavaScript payload be parsed by FortiProxy SSL VPN, remote code execution is possible, in addition to DoS.

Whereas, vulnerabilities made public in January 2021, make SQL Injection, RCE, and DoS possible in various ways.

Vulnerabilities in FortiWeb Web Application Firewall were discovered and responsibly reported by researcher Andrey Medov at Positive Technologies.

“The most dangerous of these four vulnerabilities are the SQL Injection (CVE-2020-29015) and Buffer Overflow (CVE-2020-29016) as their exploitation does not require authorization.”

“The first allows you to obtain the hash of the system administrator account due to excessive DBMS user privileges, which gives you access to the API without decrypting the hash value.”

“The second one allows arbitrary code execution. Additionally, the format string vulnerability (CVE-2020-29018) also may allow code execution, but its exploitation requires authorization,” says Medov in a blog post.

Additionally, Meh Chang and Orange Tsai of the DEVCORE Security Research Team have been credited for responsibly reporting the flaws in FortiProxy SSL VPN.

Whereas, FortiDeceptor RCE vulnerability was reported by Chua Wei Kiat.

Critical vulnerabilities rated as “Medium”

It is worth noting many of these vulnerabilities have been rated by the NVD as having a High or Critical severity rating, in accordance with CVSS 3.1 scoring guidelines.

However, it is not clear why these flaws are marked as posing a medium threat in advisories published by FortiGuard Labs.

For example, he blind SQL injection security flaw in FortiWeb can be exploited by an unauthenticated actor to execute arbitrary SQL queries or commands via web requests that have malicious SQL statements injected in the Authorization header.

That is possibly why it was assigned a Critical severity with a CVSS 3.1 score of 9.8 by the NVD, as opposed to a Medium (6.4) score reported by Fortinet.

BleepingComputer has observed similar scoring discrepancies for other Fortinet vulnerabilities as well.

Last year, as reported by BleepingComputer, hackers had posted a list of almost 50,000 vulnerable Fortinet VPNs with a years old Path Traversal flaw.

Some of these VPNs were in active use by governments, telecoms, banks, and financial organizations around the world.

As a result of this list having been made public, the same week, another threat actor had posted plain text credentials of these 50,000 VPNs on hacker forums.

Fortinet customers are therefore advised to upgrade to fixed versions of their products as soon as possible to protect against such critical vulnerabilities.

Original Article