CVE-2022-41333 – An unauthenticated attacker can send crafted GE... (How to Fix)

Q: What is the severity of CVE-2022-41333?

CVE-2022-41333 has a CVSS score of 7.5 (HIGH). An unauthenticated attacker can send crafted GET requests to FortiRecorder's login authentication mechanism, causing uncontrolled resource consumption that makes the device unavailable via denial of service. This affects FortiRecorder versions 6.4.3 and below, and 6.0.11 and below.

📋 TL;DR

An unauthenticated attacker can send crafted GET requests to FortiRecorder's login authentication mechanism, causing uncontrolled resource consumption that makes the device unavailable via denial of service. This affects FortiRecorder versions 6.4.3 and below, and 6.0.11 and below.

💻 Affected Systems

Products:

FortiRecorder

Versions: 6.4.3 and below, 6.0.11 and below

Operating Systems: FortiOS-based appliance

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the login authentication mechanism specifically. All configurations with affected versions are vulnerable.

📦 What is this software?

Fortirecorder Firmware by Fortinet

View all CVEs affecting Fortirecorder Firmware →

Fortirecorder Firmware by Fortinet

View all CVEs affecting Fortirecorder Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service rendering the FortiRecorder device unavailable, disrupting video surveillance recording and management capabilities.

🟠

Likely Case

Service degradation or temporary unavailability of the FortiRecorder device, impacting surveillance operations.

🟢

If Mitigated

Minimal impact if device is patched, behind network controls, or not internet-facing.

🌐 Internet-Facing: HIGH - Unauthenticated attack via crafted GET requests makes internet-exposed devices particularly vulnerable.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available on Packet Storm Security. Simple crafted GET requests can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.4 and above, 6.0.12 and above

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-388

Restart Required: Yes

Instructions:

1. Log into FortiRecorder web interface. 2. Navigate to System > Dashboard. 3. Check for firmware updates. 4. Download and install version 6.4.4 or 6.0.12+. 5. Reboot device after installation.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to FortiRecorder management interface to trusted IP addresses only.

Rate Limiting

all

Implement rate limiting on requests to the login endpoint to prevent resource exhaustion.

🧯 If You Can't Patch

Isolate FortiRecorder on internal network segments with strict firewall rules
Implement web application firewall (WAF) with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check FortiRecorder version via web interface: System > Dashboard > Firmware Version

Check Version:

No CLI command; use web interface System > Dashboard

Verify Fix Applied:

Confirm version is 6.4.4+ or 6.0.12+ and test login functionality remains available under load

📡 Detection & Monitoring

Log Indicators:

Multiple rapid GET requests to login endpoint
High CPU/memory usage alerts
Failed login attempts with unusual patterns

Network Indicators:

Unusual volume of HTTP GET requests to /login or similar endpoints
Traffic from single source to authentication endpoints

SIEM Query:

source="fortirecorder" AND (url="*login*" OR method="GET") AND count > 100 per src_ip per minute

📊 Metadata

CVE ID: CVE-2022-41333

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: March 7, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-41333, you might also want to check these: