Fortinet has released patches for a critical-rated zero-day vulnerability in its FortiWeb Web Application Firewall (WAF). The security flaw, tracked as CVE-2024-21758, carries a CVSS score of 9.8 and was discovered by researchers at security firm Assetnote.

This marks the second zero-day vulnerability in FortiWeb that Assetnote has reported to Fortinet in a short period. The previous flaw was an OS command injection vulnerability identified as CVE-2023-48788.

Vulnerability Details: CVE-2024-21758

The vulnerability is a SQL injection (SQLi) flaw present in the management interface of the FortiWeb WAF. According to the advisory, an authenticated attacker with access to the management interface can execute arbitrary code by sending specially crafted HTTP requests. The flaw stems from the way the product’s “ha_peer_ip” parameter is handled in a database-backed login feature.

Assetnote researchers found that the parameter was passed to a sprintf function without proper sanitization, which created the opening for the SQL injection. The researchers were able to leverage this SQLi to achieve remote code execution (RCE) on the affected device.

Affected Products and Mitigation

Fortinet confirmed that several versions of its WAF are impacted by this critical vulnerability. The affected product versions include FortiWeb 7.2.0 through 7.2.2, 7.0.0 through 7.0.6, and all versions of 6.4 and 6.3. Fortinet has released patches and advises customers to upgrade to FortiWeb versions 7.4.0, 7.2.3, or 7.0.7 and above.

This vulnerability adds to a series of security issues for the vendor. U.S. government agencies, including CISA and the NSA, have previously identified Fortinet vulnerabilities as being among the most frequently exploited by threat actors. Another recent critical bug, CVE-2024-21762, an out-of-bounds write vulnerability in the FortiOS SSL VPN, was confirmed by CISA to be under active exploitation.

Source: https://www.darkreading.com/vulnerabilities-threats/fortinet-woes-continue-another-waf-zero-day-flaw