The subject of this article is the vulnerability CVE-2021-41020 – which I have found in the FortiIsolator – a Fortinet Product. But first, I think it might be interesting to bring a few details into context before addressing the CVE itself.
Last year, OWASP launched the Top 10 2021, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The Risk of Broken Access Control has moved up from the 5th position on the list to the 1st. According to OWASP, 94% of applications were tested for some form of broken access control.
Having that said, the CVE -2021-41020 is considered a vulnerability (CWE-284: Improper Access Control) which is categorized, in this context, at the OWASP Top 10 A01 2021.
In March 2022 I spoke at an event, and on the occasion, I have discussed some vulnerabilities that I have found (Regarding A01 2021 – Broken Access Control). Later, on May 3rd, 2022, it was released a bug fix of another vulnerability that enters this Risk Category. You can check it on the Fortinet Part website.
The Finding Process
Firstly a test environment was created to validate how this software works. Then I realized that the software had uncommon behavior when the read-only user was used. At this moment I did a map of critical endpoints, then I identified that the “CA Re-generate” feature is an important component for the software purpose.
CVE-2021-41020: the vulnerability
To validate if there was a vulnerability in the software, a few tasks were required:
- The critical endpoints in FortiIsolator were listed;
- I had identified that the feature CA Re-generate is an important component of software purpose;
- The authorization mechanism to access this component was validated, and during this process, it was identified that there was not a correct authorization validation – it was created by a user with read-only permission that should not be able to access the component. This user was able to regenerate the CA certificate in the software.
To fix it, the following actions are required:
- Upgrade to FortiIsolator version 2.3.3 or above.
- Upgrade to FortiIsolator version 2.4.0 or above.
When the problem is related to broken access control, it is important to:
- Deny by default.
- Implement access control mechanisms.
- Log access control failures,
- Rate limit API.
To avoid similar problems, enforce the concepts on Security By Design, Shift-Left, establish requirements before the software implementation, and look for security aspects during the architecture planning. If you have any doubt about it, reach out to our team!
The vulnerability has been reported following Fortinet Company Disclosure Policies.