IR Number FG-IR-22-049
Date Jul 5, 2022
Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Medium
CVSSv3 Score 6.8
Impact Execute unauthorized code or commands
CVE ID CVE-2022-27483
Affected Products
FortiManager : 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.11, 6.0.10, 6.0.1, 6.0.0
FortiAnalyzer : 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.11, 6.0.10, 6.0.1, 6.0.0
CVRF Download

PSIRT Advisories

FortiAnalyzer & FortiManager - OS command injection vulnerability in CLI

Summary

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiAnalyzer & FortiManager may allow an authenticated attacker to execute arbitrary shell code as `root` user via `diagnose system` CLI commands.

Affected Products

At least
FortiManager version 7.0.0 through 7.0.3
FortiManager version 6.4.0 through 6.4.7
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.0.0 through 6.0.11
At least
FortiAnalyzer version 7.0.0 through 7.0.3
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer 6.2 all versions
FortiAnalyzer 6.0 all versions

Solutions

Upgrade to FortiAnalyzer version 7.2.0 or above,

Upgrade to FortiAnalyzer version 7.0.4 or above,

Upgrade to FortiAnalyzer version 6.4.8 or above.

Upgrade to FortiManager version 7.2.0 or above,

Upgrade to FortiManager version 7.0.4 or above,

Upgrade to FortiManager version 6.4.8 or above.

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.