Fortinet FortiWeb Authentication Bypass Vulnerability Allowing Admin Privileges

An authentication bypass vulnerability has been identified in Fortinet FortiWeb versions 7.6.3 and below, 7.4.7 and below, 7.2.10 and below, and 7.0.10 and below. This vulnerability allows an unauthenticated remote attacker with non-public information about the device and targeted user to gain admin privileges by sending a specially crafted request. The issue arises from improper handling of parameters, which can be exploited to manipulate session cookies and bypass authentication mechanisms.

Impact

Exploitation of this vulnerability allows for unauthorized access to admin privileges on the affected FortiWeb device.

Reproduction

The vulnerability can be reproduced by sending a request with a manipulated 'Era' parameter in the session cookie. This 'Era' parameter should be set to a value that triggers an out-of-bounds read, allowing the attacker to force the server to use a predictable, zeroed secret key for session encryption and signing. Once the key is manipulated, the attacker can craft a payload that impersonates an admin user and access restricted endpoints.

Remediation

Users are advised to upgrade Fortinet FortiWeb to version 7.6.4 or above, 7.4.8 or above, 7.2.11 or above, or 7.0.11 or above, depending on their current version.