On March 14, 2023, NIST initiated analysis on a vulnerability in FortiOS designated CVE-2022 – 42328.
The vulnerability is a Path traversal in execute command which can allow an attacker to use it to execute unauthorized code or commands. The attacker may be able to create or overwrite critical files used to execute code in programs or libraries. This post provides an overview of steps you can take to protect your organization and your third-party network. We’ve also included a summary of our investigation and mitigation efforts.
Using special characters, an attacker can escape out of the intended location and access files or directories in other places in the system. According to the official Fortinet advisory, the vulnerability restricts a pathname to a limited directory and may allow a privileged attacker to read and write any files by creating specific Command Line Interface (CLI) commands.
Severity and Impact
NIST has assigned a Base Score of 7.1 HIGH to CVE-2022 – 41328, and FortiGuard Labs has issued a Vendor Advisory.
Response Step 1: Determine if you are at risk
Specific FortiOS versions are impacted:
- FortiOS versions 7.2.0 through 7.2.3
- FortiOS versions 7.0.0 through 7.0.9
- FortiOS versions 6.4.0 through 6.4.11
- FortiOS versions 6.2.0 through 6.2.13
- And all versions of FortiOS 6.0
To assess whether your third parties are vulnerable, customers can access the Fortinet FortiOS Vulnerability Questionnaire in the Whistic platform under Questionnaire Standards Library.
Response Step 2: Solutions according to FortiGuard Labs
FortiGuard Labs recommends updates to appropriate version from the following list:
- Upgrade to FortiOS version 7.2.4 or above
- Upgrade to FortiOS version 7.0.10 or above
- Upgrade to FortiOS version 6.4.12 or above
- Upgrade to FortiOS version 6.2.14 or above
Does this affect Whistic?
As a result of our investigation, we have determined that this vulnerability does not directly impact Whistic.