CVE-2021-36190 in FortiWebinfo

Summary

by MITRE • 12/08/2021

A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 10/27/2024

The vulnerability identified as CVE-2021-36190 represents a critical confused deputy problem within Fortinet FortiWeb web application firewalls running versions 6.4.1 and below, as well as 6.3.15 and below. This security flaw stems from improper handling of HTTP request forwarding mechanisms that allow an attacker to exploit the proxy functionality in unintended ways. The confused deputy vulnerability occurs when a system incorrectly interprets the identity of a requesting entity, leading to unauthorized access to protected resources that should remain restricted. In this specific case, the FortiWeb appliance fails to properly validate or sanitize the proxy headers in incoming HTTP requests, creating a pathway for malicious actors to bypass authentication and access internal systems.

The technical implementation of this vulnerability involves the manipulation of HTTP proxy headers such as X-Forwarded-For, X-Forwarded-Host, or similar forwarding mechanisms that are typically used to preserve original client information when requests pass through multiple proxy servers. When an unauthenticated attacker crafts specific HTTP requests containing manipulated proxy headers, the FortiWeb appliance incorrectly processes these headers and forwards requests to protected backend hosts without proper authentication verification. This behavior violates fundamental security principles of access control and trust boundaries, as the system fails to distinguish between legitimate proxy traffic and maliciously crafted requests designed to exploit the proxy functionality.

The operational impact of this vulnerability is severe and far-reaching for organizations utilizing affected FortiWeb versions. Attackers can potentially access sensitive internal resources, including web applications, databases, and other protected systems that are normally shielded by the FortiWeb appliance. This compromise extends beyond simple information disclosure to potentially enable further attack vectors such as lateral movement within the network, data exfiltration, and privilege escalation. The vulnerability affects the core security posture of organizations relying on FortiWeb for web application protection, as it undermines the fundamental assumption that the appliance properly isolates and protects internal resources from external threats. Additionally, the unauthenticated nature of the attack means that no credentials or prior access are required to exploit the vulnerability, making it particularly dangerous for organizations with limited network segmentation.

Organizations should immediately implement mitigations including updating to FortiWeb versions that address this vulnerability, specifically versions 6.4.2 and 6.3.16 or later. The vendor has released security patches that correct the confused deputy logic and improve proxy header validation mechanisms. Network administrators should also consider implementing additional monitoring and logging of proxy-related traffic to detect potential exploitation attempts. Configuration hardening measures such as disabling unnecessary proxy functionality, implementing strict header validation policies, and enforcing proper access controls on proxy endpoints can provide additional defense-in-depth. This vulnerability aligns with CWE-284 (Improper Access Control) and maps to ATT&CK technique T1071.004 (Application Layer Protocol: DNS) and T1566 (Phishing) as attackers may use the compromised proxy functionality to redirect traffic or deliver malicious payloads. Organizations should also review their overall network architecture to ensure proper segmentation and implement network monitoring solutions capable of detecting anomalous proxy behavior that could indicate exploitation attempts.

Responsible

Fortinet, Inc.

Reservation

07/06/2021

Disclosure

12/08/2021

Moderation

accepted

CPE

ready

EPSS

0.00807

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!