CVE-2021-26104: 
Fortinet FortiManager vulnerability analysis and mitigation

CVE-2021-26104 is a command injection vulnerability affecting multiple Fortinet products including FortiManager, FortiAnalyzer, and FortiPortal. The vulnerability was discovered in early 2021 and publicly disclosed on August 3, 2021. It affects FortiManager versions 6.2.7 and below, 6.4.5 and below, and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below, and FortiPortal 5.2.5 and below, 5.3.5 and below and 6.0.4 and below (Fortiguard PSIRT, MITRE CVE).

The vulnerability is classified as an OS command injection (CWE-78) with a CVSS v3.1 score of 6.2 (Moderate). The issue exists in the command line interface where certain 'diagnose' commands allow administrators to export files to external FTP/SFTP servers. The vulnerability stems from insufficient sanitization of parameters such as hostname, user, password, and target file names during file transfer operations. All processes run with root privileges, including scripts and binaries handling user inputs, making it possible to obtain an interactive shell on the device (Github Security Advisory).

The successful exploitation of this vulnerability allows a local authenticated and unprivileged user to execute arbitrary shell commands as root through specifically crafted CLI command parameters. This can lead to complete system compromise, as the attacker can gain root-level access to the affected system (MITRE CVE).

Fortinet has released security patches to address this vulnerability. Users should upgrade to FortiManager version 6.0.11 or above, 6.2.8 or above, 6.4.6 or above, or 7.0.0 or above; FortiAnalyzer version 6.0.11 or above, 6.2.8 or above, 6.4.6 or above, or 7.0.0 or above; FortiPortal version 5.2.6 or above, 5.3.6 or above, or 6.0.5 or above. No workarounds are available for this vulnerability (Github Security Advisory).