CVE-2022-23443
📋 TL;DR
CVE-2022-23443 is an improper access control vulnerability in Fortinet FortiSOAR that allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests. This affects organizations running FortiSOAR versions before 7.2.0, potentially exposing sensitive security orchestration data.
💻 Affected Systems
- Fortinet FortiSOAR
📦 What is this software?
Fortisoar by Fortinet
Fortisoar by Fortinet
Fortisoar by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive security orchestration data, credentials, configuration details, and potentially gain further access to connected systems.
Likely Case
Unauthenticated data exposure of API endpoints containing security operations data, potentially including incident details, automation workflows, and system information.
If Mitigated
Limited to attempted access attempts that are blocked by proper authentication controls and network segmentation.
🎯 Exploit Status
Exploitation requires knowledge of API endpoints but is straightforward once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.0 and later
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-041
Restart Required: Yes
Instructions:
1. Backup FortiSOAR configuration and data. 2. Upgrade to FortiSOAR version 7.2.0 or later. 3. Verify the upgrade completed successfully. 4. Test API access controls.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to FortiSOAR gateway API endpoints to trusted IP addresses only.
# Use firewall rules to restrict access to FortiSOAR API ports
# Example: iptables -A INPUT -p tcp --dport <api_port> -s <trusted_ip> -j ACCEPT
# iptables -A INPUT -p tcp --dport <api_port> -j DROP
Reverse Proxy with Authentication
linuxPlace FortiSOAR behind a reverse proxy that enforces authentication before forwarding requests.
# Configure nginx/apache reverse proxy with authentication
# Example nginx location block with auth_basic
location /api/ {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://fortisoar:port;
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FortiSOAR from untrusted networks
- Deploy a web application firewall (WAF) with rules to block unauthenticated API access attempts
🔍 How to Verify
Check if Vulnerable:
Check FortiSOAR version via admin interface or SSH: ssh admin@fortisoar-host 'cat /opt/cyops/configs/version.txt'Check Version:
ssh admin@fortisoar-host 'cat /opt/cyops/configs/version.txt'Verify Fix Applied:
Verify version is 7.2.0 or later and test that unauthenticated HTTP GET requests to gateway API endpoints return authentication errors.📡 Detection & Monitoring
Log Indicators:
- Multiple 200/302 responses to API endpoints without authentication logs
- Unusual GET requests to /api/gateway/* from unauthenticated sources
Network Indicators:
- HTTP GET requests to FortiSOAR API endpoints without preceding authentication requests
- Traffic to FortiSOAR from unexpected source IPs
SIEM Query:
source="fortisoar" AND (http_method="GET" AND uri_path="/api/gateway/*") AND NOT (user!="anonymous")