External risk intelligence

FortiOS: Local Attacker Can Download Arbitrary Files

CVE advisoryKnown Exploit

CVE-2021-44168

A FortiOS vulnerability allows a local, authenticated attacker to download arbitrary files by bypassing integrity checks in a specific command. This could impact data confidentiality and system integrity. Organizations should apply vendor updates to mitigate this risk.

1Halo Surface Signal

Fortinet Fortios

before 6.0.146.2.0 to before 6.2.106.4.0 to before 6.4.87.0.0 to before 7.0.3

External exposure likelihood

Halo Surface Signal score for CVE-2021-44168

The vulnerability requires a local authenticated user to execute a specific command on the device. Because it is limited to local-only access and requires prior authentication, there is no typical public network exposure or remote attack surface.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists within the \"execute restore src-vis\" command in FortiOS. This flaw allows a local authenticated attacker to download arbitrary files to the device by using specially crafted update packages. Such an action could lead to significant business risk if sensitive data is compromised.

  • Vulnerable FortiOS command
  • Code download without integrity check
  • Arbitrary file download impact

Attack Path

How an attacker could exploit the issue

A local authenticated attacker could exploit a vulnerability in the "execute restore src-vis" command. This vulnerability allows the attacker to download arbitrary files to the device by providing specially crafted update packages. Such an action could lead to unauthorized access to sensitive information or the introduction of malicious files, impacting data confidentiality and system integrity.

  • Requires local authenticated access.
  • Attacker crafts update package.
  • Attacker executes command, downloads files.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in FortiOS allows a local, authenticated attacker to download arbitrary files. This occurs when a specially crafted update package is used with the "execute restore src-vis" command, bypassing integrity checks. The potential impact involves unauthorized access to sensitive information on the device.

  • Attackers with local access.
  • Requires prior authentication.
  • Significant business risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an authenticated local attacker to download arbitrary files by exploiting a lack of integrity checking in the "execute restore src-vis" command. This could lead to unauthorized access to sensitive information on the device. Organizations should prioritize addressing this issue to prevent potential data compromise and maintain system integrity.

  • Identify FortiOS systems.
  • Limit access to affected systems.
  • Apply vendor updates and verify.
  • Monitor for related activity.

Frequently asked questions

What is FortiOS and what does its "execute restore src-vis" command do?

FortiOS is the operating system for Fortinet security devices. The "execute restore src-vis" command is intended for managing update packages, but a vulnerability allows it to download arbitrary files without proper integrity checks.

What type of weakness does CVE-2021-44168 exhibit?

CVE-2021-44168 is classified as a "download of code without integrity check" weakness. This means the system does not adequately verify the authenticity or integrity of downloaded code, enabling the insertion of unauthorized files.

How can an attacker exploit this FortiOS flaw?

An attacker with local authenticated access to the device can exploit this by using specially crafted update packages with the "execute restore src-vis" command, leading to the download of arbitrary files.

What is the significance of the Halo Surface Signal for CVE-2021-44168?

Halo classifies this CVE as internal because it requires local authenticated access, significantly limiting its attack surface and making it very unlikely to be exploited remotely. This means there is no typical public network exposure for this vulnerability.

What steps should be taken to address the FortiOS vulnerability?

Organizations should identify all FortiOS systems, restrict access to those that are affected, and promptly apply vendor-provided updates. Verifying the successful application of patches and monitoring for any unusual activity are also crucial response measures.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified