CVE-2021-41014
📋 TL;DR
CVE-2021-41014 is a denial-of-service vulnerability in Fortinet FortiWeb web application firewalls where unauthenticated attackers can send specially crafted huge HTTP packets to crash the httpsd daemon, making the device unresponsive. This affects FortiWeb versions 6.4.1 and below, and 6.3.15 and below.
💻 Affected Systems
- Fortinet FortiWeb
📦 What is this software?
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of the FortiWeb device, rendering web applications unprotected and unavailable until manual restart.
Likely Case
Temporary denial of service affecting web application availability and security protection.
If Mitigated
Minimal impact with proper network segmentation and rate limiting in place.
🎯 Exploit Status
Simple HTTP request with oversized payload can trigger the vulnerability. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiWeb 6.4.2 and 6.3.16
Vendor Advisory: https://fortiguard.com/advisory/FG-IR-21-131
Restart Required: Yes
Instructions:
1. Download FortiWeb firmware version 6.4.2 or 6.3.16 from Fortinet support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or CLI. 4. Reboot device after installation.
🔧 Temporary Workarounds
Rate Limiting
allConfigure HTTP request size limits and rate limiting to prevent oversized packets.
config system global
set http-max-header-size 8192
set http-max-body-size 1048576
end
Network Segmentation
allRestrict access to FortiWeb management interfaces to trusted networks only.
config firewall address
edit "trusted-networks"
set subnet 192.168.1.0 255.255.255.0
next
end
config firewall policy
edit 0
set srcintf "port1"
set dstintf "port1"
set srcaddr "trusted-networks"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
end
🧯 If You Can't Patch
- Implement network-based IPS/IDS to detect and block oversized HTTP packets.
- Deploy load balancer or reverse proxy in front of FortiWeb to filter malicious requests.
🔍 How to Verify
Check if Vulnerable:
Check FortiWeb firmware version via web interface (System > Dashboard) or CLI command 'get system status'.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is 6.4.2 or higher, or 6.3.16 or higher after patching.📡 Detection & Monitoring
Log Indicators:
- Multiple 'httpsd' process crashes in system logs
- Unusually large HTTP request sizes in web logs
- Increased memory/CPU usage before service disruption
Network Indicators:
- HTTP requests with abnormally large payload sizes (>10MB)
- Multiple connection attempts with oversized headers
SIEM Query:
source="fortiweb" AND (event="process crash" OR http_request_size>10000000)