CVE-2022-26121 Vulnerability in FortiAnalyzer and FortiManager GUI 7.0.0 - 7.0.3, 6.4.0 - 6.4.8, 6.2.0 - 6.2.9, 6.0.0 - 6.0.11, 5.6.0 - 5.6.11 may allow an unauthenticated and remote attack.
FortiGate units running vulnerable versions of these web-based management platforms may allow an unauthenticated and remote attacker to escalate privileges to administrative levels. FortiManager and FortiAnalyzer allow administrators to create and manage reports with the help of report templates. These templates are a set of predefined rules and settings that can be used to generate a report or help with troubleshooting. If a report template is discovered to be vulnerable to a CWE, it may lead to a scenario where an attacker can view and modify the contents of a report. This may allow an attacker to use the report as a weapon against the management platform. FortiManager and FortiAnalyzer versions 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 allow an authenticated user to create a report via URL path referencing the report template. For example, an attacker can create a report by URL path: http://{management-platform-server}/reports/Template1.html. FortiManager and FortiAnalyzer versions 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 allow an authenticated
Analysis of Vulnerable Versions of the FortiManager, FortiAnalyzer and FortiGate
The vulnerability is found in the report template URLs accepted by various versions of FortiManager and FortiAnalyzer. These URL paths are referenced in the reports that are created, edited or deleted. This vulnerability can be triggered when an authenticated user accesses a report via URL path that references a vulnerable report template.
The affected products allow users to create and edit reports through the use of report templates, which are sets of predefined rules or settings that help with troubleshooting, generating reports or providing visual representations of data collected. The vulnerability lies in the fact that some versions of these products allow users to create report templates using URL paths referencing vulnerable report templates. Because this architecture allows users to create a new report using an existing vulnerable template as long as they know its name, an attacker can use this approach to attack multiple instances of these products on the same network by creating new reports through one instance and then editing them later on another instance.
FortiGate units running vulnerable versions of below web-based management platforms may be affected
FortiManager: 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11
FortiAnalyzer: 5.6.0 through 5.6.11
Products Affected FortiGate:
all models, running FortiOS version 4.2.0 or earlier
FortiAnalyzer:
all models, running FortiOS version 4.2.0 or earlier
FortiManager:
varies by platform and model, all running FortiOS verion 4.2.0 or earlier
FortiGate units running vulnerable versions of Web-Based Management Platforms
FortiGate is a type of firewall that helps protect networks from malicious Internet traffic. If a FortiGate unit is running vulnerable versions of the web-based management platform, an unauthenticated and remote attacker could use this vulnerability to escalate privileges to administrative levels.
FortiManager and FortiAnalyzer are both features of the FortiGate units. This vulnerability happens when administrators use report templates to create reports with the help of those features. The vulnerabilities allow an attacker to view or modify the contents of reports created by administrators. This may allow them to use it as a weapon against the management platform.
Timeline
Published on: 10/10/2022 14:15:00 UTC
Last modified on: 10/12/2022 18:44:00 UTC