- 289/2022
- High
Fortinet has released security updates to address multiple vulnerabilities across multiple products.
The addressed vulnerabilities could allow the remote attacker to gain access, log manipulation, and retrieve files with specific extensions from the affected products.
These security updates fix several vulnerabilities affecting multiple Fortinet products such as FortiADC, FortiProxy, FortiOS, FortiSOAR, FortiDeceptor, and FortiSandbox.
Sample of the addressed vulnerabilities:
1. FortiOS & FortiProxy – SSH authentication bypass when RADIUS authentication is used (CVE-2022-35843):
- CVSS: 7.7
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. FortiADC – SQL injection vulnerability in configuration backup feature (CVE-2022-33875):
- CVSS: 5.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
Vulnerabilities
- CVE-2022-33876
- CVE-2022-33875
- CVE-2022-35843
- CVE-2022-40680
- CVE-2022-38379
- CVE-2022-30305
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.