CVE-2021-22128 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2021-22128?

CVE-2021-22128 has a CVSS score of 7.1 (HIGH). This vulnerability allows authenticated remote attackers to bypass access controls in FortiProxy SSL VPN portal, potentially accessing internal services like the ZebOS Shell. Affected systems include FortiProxy SSL VPN portal versions 2.0.0, 1.2.9 and below.

📋 TL;DR

This vulnerability allows authenticated remote attackers to bypass access controls in FortiProxy SSL VPN portal, potentially accessing internal services like the ZebOS Shell. Affected systems include FortiProxy SSL VPN portal versions 2.0.0, 1.2.9 and below.

💻 Affected Systems

Products:

FortiProxy SSL VPN portal

Versions: 2.0.0, 1.2.9 and below

Operating Systems: FortiOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the SSL VPN portal.

📦 What is this software?

Fortiproxy by Fortinet

View all CVEs affecting Fortiproxy →

Fortiproxy by Fortinet

View all CVEs affecting Fortiproxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the FortiProxy appliance, allowing attackers to execute arbitrary commands, access sensitive data, and pivot to internal networks.

🟠

Likely Case

Unauthorized access to internal services and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but appears straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions above 2.0.0 and 1.2.9

Vendor Advisory: https://fortiguard.com/advisory/FG-IR-20-235

Restart Required: Yes

Instructions:

1. Upgrade FortiProxy to version above 2.0.0 or 1.2.9. 2. Apply the update through the FortiGate GUI or CLI. 3. Restart the affected services.

🔧 Temporary Workarounds

Disable Quick Connection

all

Disable the Quick Connection functionality in the SSL VPN portal configuration.

config vpn ssl web portal
edit <portal-name>
unset quick-connection
end

🧯 If You Can't Patch

Restrict SSL VPN access to trusted IP addresses only.
Implement network segmentation to isolate FortiProxy from critical internal services.

🔍 How to Verify

Check if Vulnerable:

Check FortiProxy version via CLI: 'get system status' or GUI under System > Dashboard.

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is above 2.0.0 or 1.2.9 and test Quick Connection functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual access to ZebOS Shell or internal services from SSL VPN users
Multiple failed authentication attempts followed by successful access

Network Indicators:

Unexpected traffic from FortiProxy to internal services on non-standard ports

SIEM Query:

source="fortiproxy" AND (event="vpn_access" OR event="shell_access") AND user!="admin"

📊 Metadata

CVE ID: CVE-2021-22128

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Published: March 4, 2021

Last Updated: November 21, 2024

🔗 References

https://fortiguard.com/advisory/FG-IR-20-235 Vendor Advisory
https://fortiguard.com/advisory/FG-IR-20-235 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON