CVE-2022-42472 in FortiOS
Summary
by MITRE • 02/16/2023
A improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.1, 7.0.0 through 7.0.7, 2.0.0 through 2.0.10, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6 may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/16/2023
The vulnerability identified as CVE-2022-42472 represents a critical HTTP response splitting flaw in Fortinet FortiOS and FortiProxy products that affects multiple version ranges across different product lines. This vulnerability stems from inadequate input validation and sanitization of carriage return line feed (CRLF) sequences within HTTP headers, creating a pathway for malicious actors to inject arbitrary HTTP headers and manipulate response content. The issue manifests when the system fails to properly neutralize CRLF sequences that are typically used to separate HTTP headers from the response body, allowing attackers to inject additional headers that can redirect traffic, inject malicious content, or manipulate session handling. This flaw exists in FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, and 6.0.0 through 6.0.16, as well as corresponding FortiProxy versions, indicating a widespread impact across multiple security product lines from Fortinet.
The technical exploitation of this vulnerability requires an authenticated attacker who can send crafted HTTP requests containing CRLF sequences within headers, which are then processed without proper sanitization. When the system processes these requests, it fails to properly escape or remove the CRLF characters, allowing them to be interpreted as legitimate header separators. This creates a condition where attackers can inject additional HTTP headers that are appended to the original response, potentially including headers such as Set-Cookie, Location, or Content-Type that can redirect users to malicious sites, inject scripts, or manipulate browser behavior. The vulnerability specifically affects the HTTP response processing pipeline where header values are not properly validated against CRLF sequences, creating a direct path for header injection attacks that aligns with CWE-113, which describes improper neutralization of CRLF characters in HTTP headers.
The operational impact of this vulnerability is significant as it allows remote attackers to perform HTTP request splitting attacks that can compromise the integrity of web applications and user sessions. Attackers can leverage this vulnerability to perform session hijacking by injecting malicious Set-Cookie headers, redirect users to phishing sites through Location header injection, or inject malicious content into web responses. The authenticated requirement means that attackers must first gain access to legitimate user credentials or administrative access, but once achieved, the impact can be severe as it allows for persistent manipulation of HTTP responses. This vulnerability can be particularly dangerous in environments where Fortinet appliances serve as web proxies or application delivery controllers, as it can affect multiple downstream applications and services. The attack surface extends beyond simple header injection to potentially enable more sophisticated attacks such as cross-site scripting, cache poisoning, or man-in-the-middle attacks that can compromise user data and system integrity.
Organizations should implement immediate mitigations including applying the latest security patches from Fortinet that address this specific CRLF injection vulnerability, implementing strict input validation on all HTTP headers at the perimeter, and deploying web application firewalls that can detect and block malformed HTTP requests containing CRLF sequences. Network segmentation and monitoring should be enhanced to detect unusual HTTP header patterns that may indicate exploitation attempts, while access controls should be strengthened to limit the attack surface of vulnerable systems. The vulnerability also highlights the importance of following secure coding practices for HTTP header processing, specifically implementing proper input sanitization and validation techniques that align with OWASP recommendations for preventing HTTP response splitting attacks. Organizations should also consider implementing security awareness training for administrators to recognize potential exploitation patterns and maintain regular vulnerability assessments to identify similar issues in other components of their security infrastructure. This vulnerability demonstrates the critical need for continuous security monitoring and rapid patch deployment processes, as it provides attackers with a direct method to manipulate HTTP responses and potentially compromise user sessions and data integrity across affected Fortinet products.