CVE-2022-23447
📋 TL;DR
This CVE describes a path traversal vulnerability in FortiExtender management interfaces that allows unauthenticated remote attackers to read arbitrary files from the filesystem. Attackers can exploit this by sending specially crafted web requests to retrieve sensitive system files. Organizations using affected FortiExtender versions are vulnerable.
💻 Affected Systems
- FortiExtender
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through retrieval of configuration files, credentials, or private keys leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive configuration files, logs, or credentials stored on the FortiExtender device.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external exploitation.
🎯 Exploit Status
Path traversal vulnerabilities are commonly exploited; unauthenticated nature makes this particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiExtender 7.0.4, 4.2.5, 4.1.9, 4.0.3, 3.3.3, 3.2.4, 5.4.0
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-039
Restart Required: Yes
Instructions:
1. Download appropriate firmware from Fortinet support portal. 2. Backup configuration. 3. Upload firmware via web interface or CLI. 4. Reboot device. 5. Verify version after reboot.
🔧 Temporary Workarounds
Restrict Management Interface Access
allLimit network access to FortiExtender management interface using firewall rules or network segmentation.
# Example firewall rule to restrict access to management IP
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Unnecessary Management Interfaces
allDisable HTTP/HTTPS management interfaces if not required, using CLI-only management.
config system interface
edit port1
set allowaccess ping https ssh
next
end
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FortiExtender management interfaces from untrusted networks.
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests.
🔍 How to Verify
Check if Vulnerable:
Check FortiExtender firmware version via web interface (System > Dashboard) or CLI command 'get system status'.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is updated to patched versions: 7.0.4, 4.2.5, 4.1.9, 4.0.3, 3.3.3, 3.2.4, or 5.4.0.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web logs
- Multiple failed or successful attempts to access system files via web requests
- Requests containing '../' patterns or unusual file paths
Network Indicators:
- HTTP requests with path traversal sequences (../) to FortiExtender management IP
- Unusual outbound traffic from FortiExtender after exploitation
SIEM Query:
source="fortiextender" AND (url="*../*" OR status=200 AND url="*/etc/*" OR url="*/config/*")