CVE-2022-23439
📋 TL;DR
This vulnerability allows attackers to poison web caches by sending crafted HTTP requests with malicious Host headers to Fortinet devices. Attackers can redirect users to arbitrary malicious servers, potentially leading to credential theft or malware distribution. Affected organizations are those using vulnerable Fortinet products with web caching enabled.
💻 Affected Systems
- Fortinet FortiGate
- Fortinet FortiProxy
- Fortinet FortiADC
📦 What is this software?
Fortiadc by Fortinet
Fortiddos by Fortinet
Fortiddos F by Fortinet
Fortimail by Fortinet
Fortindr by Fortinet
Fortindr by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortirecorder by Fortinet
Fortirecorder by Fortinet
Fortisoar by Fortinet
Fortiswitch by Fortinet
Fortitester by Fortinet
Fortivoice by Fortinet
Fortiwlc by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers redirect all web traffic through vulnerable devices to malicious servers, enabling credential harvesting, malware distribution, and complete interception of sensitive communications.
Likely Case
Targeted cache poisoning attacks redirect specific users or services to phishing sites or malicious content, potentially compromising credentials or delivering malware.
If Mitigated
With proper web cache validation and Host header filtering, impact is limited to unsuccessful poisoning attempts that generate error logs.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests but doesn't require authentication. Cache poisoning techniques are well-documented in security literature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific version numbers per product
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-23-494
Restart Required: Yes
Instructions:
1. Access Fortinet support portal 2. Download appropriate firmware update for your product 3. Backup configuration 4. Apply firmware update 5. Reboot device 6. Verify update applied successfully
🔧 Temporary Workarounds
Disable Web Caching
allTemporarily disable web caching functionality to prevent exploitation
config system global
set web-cache disable
end
Implement Host Header Validation
allConfigure web proxy to validate and sanitize Host headers
config web-proxy explicit
set strict-host-check enable
end
🧯 If You Can't Patch
- Implement network-level filtering to block HTTP requests with suspicious Host headers
- Deploy WAF with rules to detect and block cache poisoning attempts
🔍 How to Verify
Check if Vulnerable:
Check if web caching is enabled and device version matches vulnerable range in vendor advisoryCheck Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is updated to patched version and test with controlled cache poisoning attempts📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP requests with unusual Host headers
- Cache poisoning attempts in web proxy logs
- Unexpected cache entries pointing to external domains
Network Indicators:
- HTTP requests with malformed Host headers
- Traffic patterns showing cache poisoning attempts
- Unexpected redirects from cached content
SIEM Query:
source="fortigate" AND ("Host:" AND NOT "expected-domain.com") OR "cache poisoning"