Threat researchers at Optimistic Technologies have found four security vulnerabilities affecting Fortinet's FortiWeb firewalls and web applications and are urging customers to upgrade their installations as soon as possible.
The first of these vulnerabilities (CVE-2020-29015) earned a severity score of 6.4 and enabled an unauthorized user to conduct a blind SQL database injection attack via the FortiWeb interface. Once exploited, the attacker will send a request with an authorization header containing malicious SQL commands, Positive Technology wrote in a blog post last week.
The second (CVE-2020-29016) and third (CVE-2020-29019) vulnerabilities also earned a severity score of 6.4 and allowed researchers to launch a stack buffer overflow attack on the FortiWeb server, allowing them to run unauthorized code and conduct a denial-of-service attack on the httpd daemon program.
The final vulnerability (CVE-2020-29018) earned a slightly lower threat score of 5.3 and allowed a format-string exploit. Researchers claim that if abused, an attacker will read the contents of the device's memory, obtain confidential data, and execute unauthorized code using the "redir" parameter.
According to Andrey Medov, a threat researcher at Positive Technologies, the first two vulnerabilities are especially powerful as they do not require permission to exploit them.
"The first one allows you to get the system administrator account hash due to excessive [database management system] user privileges that give you access to the API without decrypting the hash value," he wrote. "The second one allows for arbitrary code execution."
Medov added that although the fourth vulnerability still allowed unauthorized code to be run, it was less serious as the exploit involved authentication.
Fortinet was made aware of these vulnerabilities at the beginning of January and has since been patched by the business. Fortinet advises customers to upgrade FortiWeb versions 6.2 and 6.3 to 6.3.8 and 6.2.4, respectively, to apply patches.