CVE-2022-26119 - Improper Authentication Vulnerability Discovered in Fortinet FortiSIEM (Versions Before 6.5.) – An In-depth Analysis with Exploit Details

A recently discovered improper authentication vulnerability, identified as CVE-2022-26119, affects versions of Fortinet FortiSIEM software prior to 6.5.. This security flaw can enable a local attacker, who has Command Line Interface (CLI) access, to perform operations directly on the Glassfish server by leveraging a hardcoded password. In this article, we will provide a detailed breakdown of the vulnerability, explain how it can be exploited, and share original references regarding the issue.

Understanding the Vulnerability

Fortinet FortiSIEM is a powerful security information and event management (SIEM) solution used by organizations to gain advanced insights into potential security threats. However, this vulnerability exposes the Glassfish server to unauthorized access, leading to the potential compromise of sensitive data and systems.

This improper authentication issue occurs because Fortinet FortiSIEM utilizes a hardcoded password for CLI operations on the Glassfish server. The hardcoded nature of the password means that it remains constant across multiple deployments of the software, making it an attractive target for attackers. One of the major problems that arise from hardcoding passwords is that if an attacker gains access to a single instance, they could potentially access multiple instances using the same password.

Exploiting the Vulnerability

To exploit this vulnerability, attackers must first obtain CLI access using either social engineering tactics or by capitalizing on another vulnerability that grants such access. Once CLI access is obtained, the attacker can use the following code snippet to authenticate themselves directly on the Glassfish server:

glassfish_cli -u <username> -P <hardcoded_password>

In this code snippet, <username> refers to the user attempting authentication, and <hardcoded_password> refers to the hardcoded password used across all instances of Fortinet FortiSIEM software prior to version 6.5..

Once authenticated, the attacker can perform operations on the Glassfish server, potentially compromising the confidentiality, integrity, and availability of data within the affected environment. This could result in unauthorized access to sensitive information, unauthorized modification of data, and potential disruption of critical systems.

The vulnerability was first disclosed by Fortinet in the following security advisory

- Fortinet Security Advisory

Furthermore, the National Vulnerability Database (NVD) provides in-depth information about CVE-2022-26119, including the CVSS (Common Vulnerability Scoring System) score, as well as additional references to fortify your understanding of the issue:

- NVD - CVE-2022-26119

Mitigation and Recommendations

To protect your organization from this vulnerability, it is crucial to follow the recommended remediation steps provided by Fortinet:

1. Upgrade your Fortinet FortiSIEM software to version 6.5. or later to address the improper authentication issue.
2. Limit CLI access to only authorized users and implement strict access controls, ensuring that unauthorized individuals cannot gain access to sensitive systems.

Conclusion

CVE-2022-26119 is a critical improper authentication vulnerability present in Fortinet FortiSIEM software versions before 6.5., which exposes the Glassfish server to attackers. By gaining CLI access, attackers can exploit this vulnerability and compromise your organization's security. We urge you to follow the recommendations provided above and take necessary action to mitigate the risks associated with this vulnerability.

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/03/2022 13:49:00 UTC