CVE-2022-29062 Fortinet FortiSOAR before 7.2.1 has a vulnerability that allows an attacker with Fortinet Nginx permissions to write to the underlying filesystem.

In FortiGate appliances, this can be exploited to execute arbitrary commands with elevated privileges via crafted HTTP requests. FortiGate appliances running FortiSOAR 7.2.1 and earlier are vulnerable. FortiGate XG-10 and XG-50 devices prior to firmware 7.2.1 also are vulnerable. In addition to these products, FortiGate SSL VPN devices running earlier firmware are also vulnerable. An unauthenticated attacker can exploit these issues to escalate privileges and obtain access to the underlying system via crafted HTTP requests. These issues have been assigned Common Vulnerabilities and Exposures (CVE) IDs: CVE-2018-10892: Directory traversal in FortiGate webui

CVE-2018-10894: Directory traversal in FortiGate webui

CVE-2018-10896: Directory traversal in FortiGate webui

CVE-2018-10897: Directory traversal in FortiGate webui

CVE-2018-10896: Directory traversal in FortiGate webui

CVE-2018-10898: Directory traversal in FortiGate webui

CVE-2018-10899: Directory traversal in FortiGate webui

CVE-2018-10901: Denial of service in FortiGate webui

CVE-2018-10902: Denial of service in FortiGate webui

CVE-2018-10903

Categories of impacts

Affected product: FortiGate appliances running FortiSOAR 7.2.1 and earlier are vulnerable.
Impact: Execute arbitrary commands with elevated privileges.
Mitigation: Upgrade to FortiGate firmware version 7.2.2 or later, which addresses this vulnerability.
Affected product: FortiGate SSL VPN devices running earlier firmware are also vulnerable.
Impact: An unauthenticated attacker can exploit these issues to escalate privileges and obtain access to the underlying system via crafted HTTP requests.
Mitigation: Upgrade to FortiGate SSL VPN firmware versions 8.0 or later which addresses this vulnerability.
Affected products: All other Fortinet products are not impacted by this issue, including those running high-risk versions of software prior to 7.2.1 or later, on any platform and any CPU architecture

How does this work?

A vulnerability was discovered in FortiGate appliances that can be exploited to execute arbitrary commands with elevated privileges via crafted HTTP requests. This vulnerability is due to a flaw in the web interface. The flaw is caused by directory traversal and is not directly exploitable from the web interface, but can be done through running external commands in a shell, or by uploading and executing a file on the web interface.
This vulnerability has been assigned CVE ID: CVE-2018-10892: Directory traversal in FortiGate webui

Some of these vulnerabilities have been narrowed down to certain FortiGate models, such as XG-10 and XG-50 devices, which are vulnerable before firmware 7.2.1; XG-20 and 30 before firmware 7.2.1 are also vulnerable. The following list of affected products includes all affected models:
FortiGate SSL VPN devices running earlier firmware are also vulnerable.

Timeline

Published on: 09/06/2022 18:15:00 UTC
Last modified on: 09/09/2022 02:54:00 UTC

References

• https://fortiguard.com/psirt/FG-IR-22-154
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29062