Fortinet has fixed multiple severe vulnerabilities impacting its products.
The vulnerabilities range from Remote Code Execution (RCE) to SQL Injection, to Denial of Service (DoS) and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products.
Some vulnerabilities reported 2 years ago
Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.
Some of these vulnerabilities shown below had been previously reported in other Fortinet products but were fixed only recently in FortiProxy SSL VPN versions shown below.
|CVE ID||Vulnerability type||Impacted products||Fixed versions||Date first published||Date Fixed|
|CVE-2018-13383||DoS, RCE||FortiProxy SSL VPN 2.0.0 and below, 1.2.8 and below, 1.1.6 and below, 1.0.7 and below.||FortiProxy SSL VPN >= 2.0.1 and >= 1.2.9.||April 2, 2019||February 1, 2021|
|CVE-2018-13381||DoS||FortiProxy SSL VPN 2.0.0 and below, 1.2.8 and below, 1.1.6 and below, 1.0.7 and below.||FortiProxy SSL VPN >= 2.0.1 and >= 1.2.9.||May 17, 2019||February 1, 2021|
|CVE-2020-29015||SQL Injection||FortiWeb 6.3.7 and below, 6.2.3 and below.||FortiWeb >= 6.3.8, >= 6.2.4||Jan 4, 2021||Jan 4, 2021|
|CVE-2020-29016||RCE||FortiWeb 6.3.5 and below, 6.2.3 and below||FortiWeb >= 6.3.6, >= 6.2.4||Jan 4, 2021||Jan 4, 2021|
|CVE-2020-29017||RCE||FortiDeceptor 3.1.0 and below, 3.0.1 and below.||FortiDeceptor >= >= 3.2.0, 3.1.1, >= 3.0.2||Jan 4, 2021||Jan 4, 2021|
|CVE-2020-29018||RCE||FortiWeb 6.3.5 and below||FortiWeb >= 6.3.6||Jan 4, 2021||Jan 4, 2021|
|CVE-2020-29019||DoS||FortiWeb 6.3.7 and below, 6.2.3 and below||FortiWeb >= 6.3.8, >= 6.2.4||Jan 4, 2021||Jan 4, 2021|
Of particular note is the vulnerability CVE-2018-13381 in FortiProxy SSL VPN that can be triggered by a remote, unauthenticated actor through a crafted POST request.
Due to a buffer overflow in the SSL VPN portal of FortiProxy, a specially crafted POST request of large size, when received by the product is capable of crashing it, leading to a Denial of Service (DoS) condition.
Whereas, vulnerabilities made public in January 2021, make SQL Injection, RCE, and DoS possible in various ways.
Vulnerabilities in FortiWeb Web Application Firewall were discovered and responsibly reported by researcher Andrey Medov at Positive Technologies.
“The most dangerous of these four vulnerabilities are the SQL Injection (CVE-2020-29015) and Buffer Overflow (CVE-2020-29016) as their exploitation does not require authorization.”
“The first allows you to obtain the hash of the system administrator account due to excessive DBMS user privileges, which gives you access to the API without decrypting the hash value.”
“The second one allows arbitrary code execution. Additionally, the format string vulnerability (CVE-2020-29018) also may allow code execution, but its exploitation requires authorization,” says Medov in a blog post.
Additionally, Meh Chang and Orange Tsai of the DEVCORE Security Research Team have been credited for responsibly reporting the flaws in FortiProxy SSL VPN.
Whereas, FortiDeceptor RCE vulnerability was reported by Chua Wei Kiat.
Critical vulnerabilities rated as “Medium”
It is worth noting many of these vulnerabilities have been rated by the NVD as having a High or Critical severity rating, in accordance with CVSS 3.1 scoring guidelines.
However, it is not clear why these flaws are marked as posing a medium threat in advisories published by FortiGuard Labs.