Multiple Vulnerabilities in FortiWeb could allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in FortiWeb, which could allow for Arbitrary Code Execution. FortiWeb is a web application firewall (WAF). Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

There are currently no reports of this vulnerability being exploited in the wild.

Multiple vulnerabilities have been discovered in FortiWeb, which could allow for Arbitrary Code Execution. Details of the vulnerabilities are as follows:
Tactic: Initial Access (TA0001):
Technique: Exploit Public Facing Application (T1190):

• Multiple buffer overflow vulnerabilities in the web server of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted HTTP requests. (CVE-2023-23780)
• An improper neutralization of special elements used in an os command ('OS Command Injection') in FortiWeb may allow an authenticated attacker to execute arbitrary shell code as root user via crafted HTTP requests. (CVE-2022-30303)
• Multiple stack-based buffer overflow vulnerabilities in FortiWeb's proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.(CVE-2021-42756)
  Tactic: Execution (TA0002):
  Technique: Command and Scripting Interpreter: Network Device CLI (T1059.008):
• A double free vulnerability in FortiWeb CLI may allow an authenticated, local attacker to achieve arbitrary code execution via specifically crafted commands. (CVE-2022-40683)
• An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in FortiWeb may allow a privileged attacker to execute arbitrary bash commands via crafted cli backup parameters. (CVE-2023-23777)
• A condition for session fixation vulnerability in the session management of FortiWeb may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session. (CVE-2021-42761)
• A stack-based buffer overflow in the command line interpreter of FortiWeb may allow an authenticated user to execute unauthorized code or commands via specially crafted command arguments. (CVE-2023-25602)
• A buffer overflow vulnerability [CWE-122] in the command line interpreter of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted arguments to existing commands. (CVE-2023-23782)
  Details of lower severity vulnerabilities are as follows:
• An improper verification of cryptographic signature vulnerability in FortiOS, FortiWeb, FortiProxy and FortiSwitch may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter. (CVE-2021-43074)
• A stack-based buffer overflow vulnerability in the CA sign functionality of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted password. (CVE-2022-30306)
• A stack-based buffer overflow vulnerability in FortiWeb may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI execute backup-local rename and execute backup-local show operations. (CVE-2022-33871)
• Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities in FortiWeb may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests. (CVE-2023-23779)
• A relative path traversal vulnerability in FortiWeb may allow an authenticated attacker to obtain unauthorized access to files and data via specifically crafted HTTP GET requests. (CVE-2022-30300)
• A relative path traversal vulnerability in the API of FortiWeb may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. (CVE-2023-23784)
• A relative path traversal vulnerability in FortiWeb may allow an authenticated user to obtain unauthorized access to files and data via specifically crafted web requests. (CVE-2023-23778)
• A path traversal vulnerability in the API of FortiWeb may allow an authenticated attacker to retrieve specific parts of files from the underlying file system via specially crafted web requests. (CVE-2022-30299)
• A stack-based buffer overflow vulnerability in FortiWeb SAML server configuration may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted XML files. (CVE-2023-23781)
• An unauthorized configuration download vulnerability in FortiWeb may allow a local attacker to access confidential configuration files via a crafted http request. (CVE-2023-22636)
• A format string vulnerability in the command line interpreter of FortiWeb may allow an authenticated user to execute unauthorized code or commands via specially crafted command arguments. (CVE-2023-23783)
  Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

We recommend the following actions be taken:

• Apply appropriate updates and workarounds provided by Fortinet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
• Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
• Block execution of code on a system through application control, and/or script blocking. (M1038: Execution Prevention)
• Safeguard 2.5: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed.
• Safeguard 2.7: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to execute. Block unauthorized scripts from executing.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
• Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
• Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
• Safeguard 4.1: Establish and Maintain a Secure Configuration Process: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
• Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Safeguard 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
• Safeguard 3.12: Segment Data Processing and Storage Based on Sensitivity: Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.
• Safeguard 4.4: Implement and Manage a Firewall on Servers: Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.
• Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Safeguard 12.8: Establish and Maintain Dedicated Computing Resources for All Administrative Work: Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access.
• Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
• Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.