CVE-2021-24010
📋 TL;DR
This CVE describes a path traversal vulnerability in FortiSandbox that allows authenticated users to access restricted files and directories via specially crafted web requests. The vulnerability affects FortiSandbox versions 3.1.0-3.1.4 and 3.2.0-3.2.2. Attackers with valid credentials can potentially read sensitive system files or configuration data.
💻 Affected Systems
- FortiSandbox
📦 What is this software?
Fortisandbox by Fortinet
Fortisandbox by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could read sensitive system files, configuration data, or potentially escalate privileges by accessing critical system files, leading to full system compromise.
Likely Case
Authenticated users (including low-privileged accounts) can access files outside their intended directories, potentially exposing sensitive configuration data, logs, or other restricted information.
If Mitigated
With proper access controls and network segmentation, impact is limited to authenticated users within the same security zone, reducing exposure of critical systems.
🎯 Exploit Status
Exploitation requires authenticated access. The vulnerability is a classic path traversal that can be exploited via web requests with directory traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiSandbox 3.1.5 and 3.2.3 or later
Vendor Advisory: https://fortiguard.com/advisory/FG-IR-20-202
Restart Required: Yes
Instructions:
1. Download the latest firmware from Fortinet support portal. 2. Backup current configuration. 3. Upload and install the firmware update via web interface or CLI. 4. Reboot the appliance after installation completes.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to FortiSandbox web interface to only trusted IP addresses using firewall rules.
config firewall policy
edit 0
set srcintf "internal"
set dstintf "sandbox"
set srcaddr "trusted_network"
set dstaddr "sandbox_ip"
set action accept
set schedule "always"
set service "HTTPS"
next
edit 1
set srcintf "any"
set dstintf "sandbox"
set srcaddr "all"
set dstaddr "sandbox_ip"
set action deny
set schedule "always"
set service "HTTPS"
end
Implement Strong Authentication
allEnforce multi-factor authentication and strong password policies for all FortiSandbox user accounts.
config system admin
edit admin_user
set two-factor enable
set password ENC <encrypted_password>
end
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FortiSandbox from other critical systems
- Enable detailed logging and monitoring for all web interface access attempts
🔍 How to Verify
Check if Vulnerable:
Check FortiSandbox firmware version via web interface (System > Dashboard) or CLI command 'get system status'Check Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is 3.1.5 or later for 3.1.x branch, or 3.2.3 or later for 3.2.x branch📡 Detection & Monitoring
Log Indicators:
- Web requests containing directory traversal sequences (../, ..\, %2e%2e%2f)
- Multiple failed authentication attempts followed by successful login and file access patterns
- Access to unusual file paths in web server logs
Network Indicators:
- Unusual HTTP/HTTPS traffic patterns to FortiSandbox web interface
- Requests with encoded directory traversal sequences
SIEM Query:
source="fortisandbox" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")