CVE-2022-42474 in FortiOS
Summary
by MITRE • 06/13/2023
A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.12, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiSwitchManager version 7.2.0 through 7.2.1 and before 7.0.1 allows an privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/08/2023
The vulnerability CVE-2022-42474 represents a critical relative path traversal flaw that affects multiple Fortinet products including FortiOS, FortiProxy, and FortiSwitchManager across several version ranges. This vulnerability falls under CWE-23, which specifically addresses relative path traversal issues where attackers can manipulate file paths to access or modify files outside of intended directories. The flaw exists in the handling of HTTP requests within Fortinet's network security appliances, creating a pathway for malicious actors to exploit the system's file system access controls.
The technical implementation of this vulnerability allows an authenticated attacker with privileged access to craft specially formatted HTTP requests that can traverse directory structures and delete arbitrary directories from the affected systems. This occurs because the application fails to properly validate and sanitize user-supplied input that influences file system operations. The vulnerability is particularly dangerous because it requires only privileged access rather than administrative credentials, making it exploitable by users who already have some level of system access. The attack vector specifically targets the handling of relative paths in HTTP request processing, where the application does not adequately enforce directory boundaries during file operations.
The operational impact of this vulnerability extends beyond simple file deletion, as it represents a fundamental breakdown in the security model of Fortinet's network appliances. Attackers could potentially delete critical system directories, configuration files, or even entire system components, leading to complete system compromise or denial of service conditions. The vulnerability affects multiple product lines and version ranges, indicating a widespread issue within Fortinet's software development lifecycle. Organizations using these affected versions face significant risk of unauthorized system modifications, data loss, and potential complete system outages. The impact is particularly severe in enterprise environments where these appliances serve as core network security components.
Organizations should immediately implement mitigations including updating to the latest Fortinet firmware versions that address this vulnerability, as well as implementing network segmentation and access controls to limit the scope of potential exploitation. The ATT&CK framework categorizes this type of vulnerability under T1059 Command and Scripting Interpreter and T1490 Inhibit System Recovery, as it enables attackers to disable system recovery mechanisms through directory deletion. Additional defensive measures should include monitoring for unusual HTTP request patterns and implementing web application firewalls to detect and block malicious path traversal attempts. The vulnerability highlights the importance of input validation and proper path handling in network security appliances, and organizations should conduct thorough security assessments of their Fortinet deployments to identify and remediate similar issues.