CVE-2022-39947: Fortinet FortiADC command injection

Fortinet on Tuesday informed customers about 5 vulnerabilities discovered in the company’s products, including 2 flaws that have been assigned a ‘high’ severity rating.

One of the high-severity issues affects FortiADC and it allows an authenticated attacker with access to the web GUI to execute commands via specifically crafted HTTP requests. Tracked as CVE-2022-39947 (CVSS score of 8.6), the flaw allows a remote authenticated attacker to execute arbitrary code on the system, caused by an OS command injection vulnerability.

“An improper neutralization of special elements used in an OS command vulnerability in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests,” Fortinet wrote.

CVE-2022-39947 affects FortiADC versions 5.4.x, 6.0.x, 6.1.x, 6.2.x, and 7.0.x, and will be patched with the release of FortiADC 6.2.4 and 7.0.2.

Another high-severity flaw, tracked as CVE-2022-35845 (CVSS score of 7.6), is described as a command injection vulnerability in FortiTester’s GUI and API and caused by multiple improper neutralization of special elements. The bug impacts FortiTester versions 2.x.x, 3.x.x, 4.x.x, 7.x, and 7.1.0, and was fixed with the release of FortiTester versions 3.9.2, 4.2.1, 7.1.1, and 7.2.0.

The list of three medium-severity flaws is as follows :

• FG-IR-22-250: An improper neutralization of CRLF sequences in HTTP headers (‘HTTP Response Splitting’) vulnerability [CWE-113] In FortiWeb API may allow an authenticated and remote attacker to inject arbitrary headers.
• CVE-2022-41336: An improper neutralization of input during web page generation vulnerability [CWE-79] in the FortiPortal management interface may allow a remote authenticated attacker to perform a stored cross-site scripting (XSS) attack via sending a request with a specially crafted columnindex parameter.
• CVE-2022-45857: An incorrect user management vulnerability [CWE-286] in the FortiManager VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the super_admin profiled admin account is deleted.

Additional details on these security defects and the impacted products can be found on Fortinet’s PSIRT page.