Application Security

An overview on the CVE-2021-41020

The subject of this article is the vulnerability CVE-2021-41020 – which I have found in the FortiIsolator – a Fortinet Product. But first, I think it might be interesting to bring a few details into context before addressing the CVE itself.

Last year, OWASP launched the Top 10 2021, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. 

The Risk of Broken Access Control has moved up from the 5th position on the list to the 1st. According to OWASP, 94% of applications were tested for some form of broken access control. 

Having that said, the  CVE -2021-41020 is considered a vulnerability (CWE-284: Improper Access Control) which is categorized, in this context, at the OWASP Top 10 A01 2021.

In March 2022 I spoke at an event, and on the occasion, I have discussed some vulnerabilities that I have found (Regarding A01 2021 – Broken Access Control). Later, on May 3rd, 2022, it was released a bug fix of another vulnerability that enters this Risk Category. You can check it on the Fortinet Part website. 

The Finding Process

Firstly a test environment was created to validate how this software works. Then I realized that the software had uncommon behavior when the read-only user was used. At this moment I did a map of critical endpoints, then I identified that the “CA Re-generate” feature is an important component for the software purpose.

CVE-2021-41020: the vulnerability 

To validate if there was a vulnerability in the software, a few tasks were required:

  • The critical endpoints in FortiIsolator were listed;
  • I had identified that the feature CA Re-generate is an important component of software purpose;
  • The authorization mechanism to access this component was validated, and during this process, it was identified that there was not a correct authorization validation – it was created by a user with read-only permission that should not be able to access the component. This user was able to regenerate the CA certificate in the software.

To fix it, the following actions are required:

  • Upgrade to FortiIsolator version 2.3.3 or above.
  • Upgrade to FortiIsolator version 2.4.0 or above.

When the problem is related to broken access control, it is important to:

  • Deny by default.
  • Implement access control mechanisms.
  • Log access control failures,
  • Rate limit API.

Conclusion

To avoid similar problems, enforce the concepts on Security By Design, Shift-Left, establish requirements before the software implementation, and look for security aspects during the architecture planning. If you have any doubt about it, reach out to our team!

Disclosure Policy

The vulnerability has been reported following Fortinet Company Disclosure Policies.

Related posts
Application Security

Do tools solve problems in AppSec?

Let’s talk about using application security tools? How important is this and how can it solve…
Read more
Application Security

What are SAML and OAuth2 and the difference between them

Within the most current concepts for secure development, dealing with the authentication aspect is…
Read more
Application Security

Developers: How to deal with some of the biggest security challenges during software development

It has become common for people to choose not to leave home and do banking, shopping, food ordering…
Read more

Deixe um comentário