CVE-2022-26117
📋 TL;DR
This vulnerability in FortiNAC allows authenticated attackers to access MySQL databases via the CLI when configuration files contain empty passwords. It affects multiple FortiNAC versions across several release branches. Attackers could potentially read, modify, or delete sensitive database information.
💻 Affected Systems
- FortiNAC
📦 What is this software?
Fortinac by Fortinet
Fortinac by Fortinet
Fortinac by Fortinet
Fortinac by Fortinet
Fortinac by Fortinet
Fortinac by Fortinet
Fortinac by Fortinet
Fortinac by Fortinet
Fortinac by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of MySQL databases containing sensitive network access control data, user credentials, device information, and configuration details, potentially leading to network-wide access control bypass.
Likely Case
Unauthorized access to sensitive database information, including user credentials and network policies, enabling lateral movement and privilege escalation within the network.
If Mitigated
Limited impact with proper authentication controls, network segmentation, and database access restrictions in place.
🎯 Exploit Status
Requires authenticated CLI access. Exploitation is straightforward once authenticated access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions above those listed in affected versions (check specific FortiGuard advisory for exact fixed versions)
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-058
Restart Required: Yes
Instructions:
1. Review FortiGuard advisory FG-IR-22-058 for exact fixed versions. 2. Upgrade to patched FortiNAC version. 3. Restart FortiNAC services. 4. Verify configuration files no longer contain empty passwords.
🔧 Temporary Workarounds
Remove empty passwords from configuration
allManually check and remove any empty password fields from FortiNAC configuration files
# Review configuration files for empty password fields
# Set proper passwords for all database and service accounts
Restrict CLI access
allLimit CLI access to authorized administrators only using network controls and authentication
# Implement network segmentation
# Use firewall rules to restrict access to FortiNAC management interfaces
# Enforce strong authentication for CLI access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FortiNAC management interfaces
- Enforce strong authentication and limit CLI access to minimal required personnel
🔍 How to Verify
Check if Vulnerable:
Check FortiNAC version against affected versions list and review configuration files for empty password fieldsCheck Version:
# From FortiNAC CLI: get system status | grep VersionVerify Fix Applied:
Verify FortiNAC version is above affected versions and confirm configuration files have proper passwords set📡 Detection & Monitoring
Log Indicators:
- Unusual CLI access patterns
- Multiple failed authentication attempts followed by successful CLI access
- Database access from unexpected sources or users
Network Indicators:
- Unusual database connection attempts from FortiNAC CLI
- Traffic patterns indicating database enumeration or exfiltration
SIEM Query:
source="fortinac" AND (event_type="cli_access" OR event_type="database_access") AND user!="authorized_admin"