CVE-2022-42478

8.1 HIGH

Authentication Bypass

📋 TL;DR

CVE-2022-42478 is an authentication brute force vulnerability in FortiSIEM that allows non-privileged users to perform unlimited authentication attempts against multiple endpoints. This affects FortiSIEM versions below 7.0.0, potentially allowing attackers to guess credentials and gain unauthorized access.

💻 Affected Systems

Products:

FortiSIEM

Versions: All versions below 7.0.0

Operating Systems: FortiSIEM appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with default authentication settings. Requires attacker to have some level of initial access to the affected endpoints.

📦 What is this software?

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could brute force administrative credentials, gain full system control, and potentially pivot to other systems in the network.

🟠

Likely Case

Attackers gain unauthorized access to FortiSIEM with user-level privileges, allowing them to view sensitive security data and modify configurations.

🟢

If Mitigated

With proper rate limiting and monitoring, only limited account lockouts or failed login alerts would occur.

🌐 Internet-Facing: HIGH if FortiSIEM management interface is exposed to the internet, as attackers can brute force from anywhere.

🏢 Internal Only: MEDIUM as it still allows internal attackers or compromised accounts to brute force other accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to specific endpoints but uses simple brute force techniques. No authentication bypass needed, just lack of rate limiting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiSIEM 7.0.0 and above

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-258

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade FortiSIEM to version 7.0.0 or later. 3. Restart the system. 4. Verify authentication rate limiting is enabled.

🔧 Temporary Workarounds

Implement Network Access Controls

all

Restrict access to FortiSIEM management interfaces to trusted IP addresses only.

Enable Account Lockout Policies

all

Configure account lockout after failed authentication attempts if supported by your version.

🧯 If You Can't Patch

Implement strict network segmentation to isolate FortiSIEM from untrusted networks
Enable comprehensive logging and monitoring for authentication attempts with alerting on brute force patterns

🔍 How to Verify

Check if Vulnerable:

Check FortiSIEM version via GUI (System > Status) or CLI. If version is below 7.0.0, system is vulnerable.

Check Version:

ssh admin@fortisiem-host 'show version' or check via web interface

Verify Fix Applied:

After upgrade, verify version is 7.0.0 or higher and test authentication rate limiting by attempting multiple failed logins.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from same source IP
Unusual authentication patterns to FortiSIEM endpoints

Network Indicators:

High volume of authentication requests to FortiSIEM management ports
Traffic patterns suggesting credential guessing

SIEM Query:

source="fortisiem" AND (event_type="authentication_failure" OR event_type="login_failed") | stats count by src_ip, user | where count > 10

📊 Metadata

CVE ID: CVE-2022-42478

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-307

Published: June 13, 2023

Last Updated: November 21, 2024

🔗 References

https://fortiguard.com/psirt/FG-IR-22-258 Vendor Advisory
https://fortiguard.com/psirt/FG-IR-22-258 Vendor Advisory