cbcvebase.
CVE-2022-41328
published 2023-03-07

CVE-2022-41328: A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0…

PriorityP183high7.1CVSS 3.1
AVLACLPRLUINSUCHIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-04-04
Exploited in the wild
EPSS
12.32%
95.7th percentile
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.

Affected

11 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortios
fortinetfortios6.0.0 – 6.0.16
fortinetfortios>= 6.2.0 < 6.2.146.2.14
fortinetfortios6.2.0 – 6.2.13
fortinetfortios>= 6.4.0 < 6.4.126.4.12
fortinetfortios6.4.0 – 6.4.11
fortinetfortios>= 7.0.0 < 7.0.107.0.10
fortinetfortios7.0.0 – 7.0.9
fortinetfortios>= 7.2.0 < 7.2.47.2.4
fortinetfortios7.2.0 – 7.2.3

Detection & IOCsextracted from sources · hover to see the quote

hashb6e92149efaf78e9ce7552297505b9d5
hash53a69adac914808eced2bf8155a7512d
hash9ce2459168cf4b5af494776a70e0feda
hashe3f342c212bb8a0a56f63490bf00ca0c
hash88711ebc99e1390f1ce2f42a6de0654d
hash64bdf7a631bc76b01b985f1d46b35ea6
hash3e43511c4f7f551290292394c4e21de7
hashe2d2884869f48f40b32fb27cc3bdefff
path/bin/lspci
path/bin/klogd
path/bin/auth
path/bin/support
path/nohup.out
path/bin/smit
cookieFGMGTOKEN
cookieDEVICEID
port541
commanddiagnose hardware lspci
  • Inspect HTTP requests to FortiManager for the presence of cookies FGMGTOKEN and DEVICEID, which are used by the backdoor to receive RC4-encoded commands.
  • Monitor for traffic redirection targeting destination port 541 (FortiGuard management port) from unexpected source IPs, as the 'auth' malware redirects such traffic to attacker-controlled ports.
  • ·FIPS mode on FortiGate devices provides a detection mechanism: if firmware integrity is breached, the device halts and refuses to boot. Organizations without FIPS enabled may not receive this automatic tamper alert.
  • ·The contents of scripts executed via FortiManager's upload script feature are not retained on the device, limiting forensic visibility into what commands were delivered to FortiGate devices.
  • ·The 'auth' malware reads the source IP and redirect port from a network socket dynamically, meaning the redirect destination port is not static and cannot be hardcoded into detection rules.
  • ·The 'localnet' startup script modification re-enables firmware verification at boot to mask the fact that 'smit' was tampered with, potentially defeating post-reboot integrity checks.

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vulncheck6.7MEDIUM
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.