Rewterz Threat Advisory – Multiple Fortinet Products Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2021-42756 CVSS:9.8

Fortinet FortiWeb is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the proxy daemon. By sending a specially-crafted HTTP request, a remote attacker could overflow a buffer and execute arbitrary code on the system.

CVE-2021-42761 CVSS:9

Fortinet FortiWeb could allow a remote attacker to hijack a user’s session, caused by a session fixation vulnerability. An attacker could exploit this vulnerability using session cookie to gain access to another user’s session.

CVE-2023-25602 CVSS:7.8

Fortinet FortiWeb is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By using specially-crafted command arguments, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.

CVE-2022-30299 CVSS:5.3

Fortinet FortiWeb could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted request containing “dot dot” sequences (/../) to retrieve specific parts of files from the underlying file system.

CVE-2022-30300 CVSS:6.5

Fortinet FortiWeb could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted HTTP GET request containing “dot dot” sequences (/../) to access files and data on the system.

CVE-2022-30303 CVSS:8.8

Fortinet FortiWeb could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an OS command injection vulnerability. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to execute arbitrary commands on the system with root privileges.

CVE-2021-43074 CVSS:4.3

Fortinet products could allow a remote authenticated attacker to obtain sensitive information, caused by improper verification of cryptographic signatures. By intercepting a session management cookie, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2022-30304 CVSS:4.3

Fortinet FortiAnalyzer is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the FortiWeb attack event logview. A remote attacker could exploit this vulnerability using the URL parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2022-33869 CVSS:8.8

Fortinet FortiWAN could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an OS command injection vulnerability in the management interface. By sending specially-crafted arguments to existing commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2022-33871 CVSS:6.6

Fortinet FortiWeb is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By using specially-crafted CLI execute backup-local rename and execute backup-local show operations, a remote authenticated attacker could overflow a buffer and execute arbitrary code or commands on the system.

CVE-2023-23778 CVSS:4.9

Fortinet FortiWeb could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to access to files and data on the system.

CVE-2023-23779 CVSS:6.8

Fortinet FortiWeb could allow a remote authenticated attacker within the local network to execute arbitrary commands on the system, caused by an OS command injection vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2023-23780 CVSS:8

Fortinet FortiWeb is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By sending a specially-crafted HTTP request, a remote authenticated attacker within the local network could overflow a buffer and execute arbitrary code on the system with elevated privileges.

CVE-2023-23781 CVSS:6.4

Fortinet FortiWeb is vulnerable to a stack-based buffer overflow, caused by improper bounds checking in the SAML server configuration. By using a specially-crafted XML file, a remote authenticated attacker within the local network could overflow a buffer and execute arbitrary code on the system.

CVE-2023-23782 CVSS:7.8

Fortinet FortiWeb is vulnerable to a heap-based buffer overflow, caused by improper bounds checking in the command line interpreter. By sending specially-crafted arguments to existing commands, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.

CVE-2023-23783 CVSS:6.7

Fortinet FortiWeb could allow a local authenticated attacker to execute arbitrary code on the system, caused by a format string vulnerability in the command line interpreter. By sending specially-crafted command arguments, an attacker could exploit this vulnerability to execute arbitrary code or commands on the system.

CVE-2022-42472 CVSS:4.2

Fortinet FortiProxy and FortiOS are vulnerable to HTTP response splitting attacks, caused by a CRLF injection vulnerability. A remote authenticated attacker could exploit this vulnerability to inject a CRLF character sequence and cause the server to return a split response once the URL is clicked. This would allow the attacker to perform further attacks, such as cache poisoning, cross-site scripting, session hijacking, and possibly obtain sensitive information.

CVE-2023-23784 CVSS:5.7

Fortinet FortiWeb could allow a remote authenticated attacker within the local network to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the underlying filesystem.

Impact

• Information Disclosure
• Buffer Overflow
• Command Execution
• Unauthorized Access
• Cross-Site Scripting

Indicators Of Compromise

CVE

CVE-2021-42756
CVE-2021-42761
CVE-2023-25602
CVE-2022-30299
CVE-2022-30300
CVE-2022-30303
CVE-2021-43074
CVE-2022-30304
CVE-2022-33869
CVE-2022-33871
CVE-2023-23778
CVE-2023-23779
CVE-2023-23780
CVE-2023-23781
CVE-2023-23782
CVE-2023-23783
CVE-2022-42472
CVE-2023-23784

Affected Vendors

Fortinet

Affected Products

• Fortinet FortiWeb 6.2.5
• Fortinet FortiWeb 6.3.15
• Fortinet FortiWeb 6.4.1
• Fortinet FortiOS 7.0.0
• Fortinet FortiProxy 7.0.0
• Fortinet FortiOS 7.0.3
• Fortinet FortiProxy 7.0.1
• Fortinet FortiOS 7.2.0
• Fortinet FortiAnalyzer 6.4.4
• Fortinet FortiProxy 2.0.0
• Fortinet FortiProxy 1.2.0
• Fortinet FortiProxy 2.0.10
• Fortinet FortiWeb 6.2.6
• Fortinet FortiWeb 6.0.7
• Fortinet FortiWeb 6.3.16
• Fortinet FortiWeb 6.4
• Fortinet FortiWeb 6.3.11
• Fortinet FortiWeb 7.0.0
• Fortinet FortiWeb 6.4.2
• Fortinet FortiWeb 6.3.6
• Fortinet FortiProxy 1.1
• Fortinet FortiProxy 1.0
• Fortinet FortiWeb 6.0
• Fortinet FortiWeb 6.1
• Fortinet FortiOS 6.4.8
• Fortinet FortiProxy 2.0.7
• Fortinet FortiOS 6.2
• Fortinet FortiOS 6.0
• Fortinet FortiWeb 6.2
• Fortinet FortiSwitch 7.0.3
• Fortinet FortiSwitch 6.4.10
• Fortinet FortiSwitch 6.2
• Fortinet FortiSwitch 6.0
• Fortinet FortiAnalyzer 6.0.6
• Fortinet FortiWAN 4.5.8
• Fortinet FortiWAN 4.5.7
• Fortinet FortiOS 7.0.8
• Fortinet FortiOS 7.2.2
• Fortinet FortiProxy 7.0.7
• Fortinet FortiProxy 7.2.0
• Fortinet FortiProxy 7.2.1
• Fortinet FortiWeb 7.0.2
• Fortinet FortiWeb 6.1.2

Remediation

Refer to FortiGuard Advisory for patch, upgrade or suggested workaround information.

CVE-2021-42756

CVE-2021-42761

CVE-2023-25602

CVE-2022-30299

CVE-2022-30300

CVE-2022-30303

CVE-2021-43074

CVE-2022-30304

CVE-2022-33869

CVE-2022-33871

CVE-2023-23778

CVE-2023-23779

CVE-2023-23780

CVE-2023-23781

CVE-2023-23782