FortiSandbox - Command injection impacting CLI command

Summary

An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to execute arbitrary code via CLI.

Version Affected Solution
FortiSandbox 4.4 4.4.0 through 4.4.2 Upgrade to 4.4.3 or above
FortiSandbox 4.2 4.2.0 through 4.2.6 Upgrade to 4.2.7 or above
FortiSandbox 4.0 4.0 all versions Migrate to a fixed release
FortiSandbox 3.2 3.2 all versions Migrate to a fixed release
FortiSandbox 3.0 3.0.5 through 3.0.7 Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

Timeline

2024-04-09: Initial publication