Fortinet, a cybersecurity solutions provider, has addressed four critical vulnerabilities in its FortiWeb web application firewalls. Tracked as CVE-2020-29015, CVE-2020-29016, CVE-2020-29019, and CVE-2020-29018, the vulnerabilities were discovered by Andrey Medov, a security researcher from Positive Technologies.
Vulnerability Details
- CVE-2020-29015 – This vulnerability exists in a blind SQL injection in the user interface of FortiWeb. The flaw, with CVSS v3.1 score 6.4, allows an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted authorization header containing a malicious SQL statement.
Affected Products
- FortiWeb versions 6.3.7 and below
- FortiWeb versions 6.2.3 and below
Fix
- Upgrade to FortiWeb versions 6.3.8 or above
- Upgrade to FortiWeb versions 6.2.4 or above
- CVE-2020-29016 – The stack-based buffer overflow vulnerability, with CVSS v3 score 6.4, exists in FortiWeb, which allows a remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.
Affected Products
- FortiWeb versions 6.3.5 and below
- FortiWeb versions 6.2.3 and below
Fix
- Upgrade to FortiWeb versions 6.3.6 or above
- Upgrade to FortiWeb versions 6.2.4 or above
- CVE-2020-29018 – A format string vulnerability, with CVSS v3 score 5.3, in FortiWeb allows a hacker to read the content of memory and retrieve sensitive data via the redir parameter.
Affected Products
- FortiWeb versions 6.3.5 and below
Fix
- Upgrade to FortiWeb versions 6.3.6 or above
- CVE-2020-29019 – This is also a stack-based buffer overflow vulnerability in FortiWeb. The flaw, with CVSS v3 score 6.4, allows a remote hacker to crash the httpd daemon thread by sending a request with a crafted cookie header.
Affected Products
- FortiWeb versions 6.3.7 and below
- FortiWeb versions 6.2.3 and below
Fix
- Upgrade to FortiWeb versions 6.3.8 or above
- Upgrade to FortiWeb versions 6.2.4 or above
Fortinet issued fixes for all the vulnerabilities and urged users to install updates as soon as possible.
“The most dangerous of these four vulnerabilities are the SQL Injection (CVE-2020-29015) and Buffer Overflow (CVE-2020-29016) as their exploitation does not require authorization. The first allows you to obtain the hash of the system administrator account due to excessive DBMS user privileges, which gives you access to the API without decrypting the hash value. The second one allows arbitrary code execution. Additionally, the format string vulnerability (CVE-2020-29018) also may allow code execution, but its exploitation requires authorization,” said Medov.