CVE-2022-35842 Overview
CVE-2022-35842 is an exposure of sensitive information to an unauthorized actor vulnerability (CWE-200) affecting Fortinet FortiOS SSL-VPN. This vulnerability allows remote unauthenticated attackers to obtain sensitive information about LDAP and SAML configuration settings from vulnerable FortiOS installations without requiring any prior authentication.
Critical Impact
Unauthenticated remote attackers can extract sensitive LDAP and SAML configuration data, potentially enabling further attacks against enterprise authentication infrastructure.
Affected Products
- Fortinet FortiOS version 7.2.0
- Fortinet FortiOS versions 7.0.0 through 7.0.6
- Fortinet FortiOS versions 6.4.0 through 6.4.9
Discovery Timeline
- 2022-11-02 - CVE-2022-35842 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-35842
Vulnerability Analysis
This vulnerability exists within the FortiOS SSL-VPN component and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw allows attackers to remotely access configuration details without any form of authentication, making it particularly dangerous in environments where FortiOS devices serve as the primary VPN gateway.
The vulnerability exposes LDAP and SAML settings, which can include directory service connection parameters, authentication endpoints, and potentially service account information. This information disclosure can serve as reconnaissance for more sophisticated attacks against an organization's identity infrastructure.
Root Cause
The root cause stems from improper access controls in the SSL-VPN component that fail to adequately protect sensitive configuration endpoints. The FortiOS SSL-VPN service inadvertently exposes LDAP and SAML configuration data through requests that do not properly validate user authentication status, allowing any remote attacker to retrieve this sensitive information.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication credentials or user interaction. An attacker simply needs network access to the vulnerable FortiOS SSL-VPN interface to exploit this vulnerability.
The attack flow typically involves:
- Attacker identifies a vulnerable FortiOS SSL-VPN endpoint exposed to the network
- Attacker sends crafted requests to the vulnerable SSL-VPN service
- The service responds with LDAP and SAML configuration details without verifying authentication
- Attacker uses disclosed information for further attacks or lateral movement planning
For detailed technical information, refer to the FortiGuard Security Advisory.
Detection Methods for CVE-2022-35842
Indicators of Compromise
- Unusual or unauthorized requests to SSL-VPN configuration endpoints from external IP addresses
- Increased reconnaissance activity targeting FortiOS SSL-VPN services
- Log entries showing configuration data access from unauthenticated sessions
- Network traffic patterns indicating enumeration of VPN gateway configuration
Detection Strategies
- Monitor FortiOS logs for unauthorized access attempts to configuration-related endpoints
- Deploy network intrusion detection rules to identify exploitation attempts against SSL-VPN services
- Implement web application firewall rules to detect and block suspicious requests to FortiOS management interfaces
- Review authentication logs for anomalous patterns that may indicate follow-on attacks using disclosed LDAP/SAML information
Monitoring Recommendations
- Enable verbose logging on FortiOS SSL-VPN components to capture detailed access patterns
- Configure alerts for configuration endpoint access from untrusted sources
- Regularly audit LDAP and SAML configuration access logs for unauthorized queries
- Implement continuous monitoring of FortiOS device health and security status through FortiAnalyzer or SIEM integration
How to Mitigate CVE-2022-35842
Immediate Actions Required
- Verify current FortiOS version and determine if systems are running affected versions (7.2.0, 7.0.0-7.0.6, or 6.4.0-6.4.9)
- Apply vendor-provided patches immediately to all affected FortiOS installations
- Restrict network access to SSL-VPN management interfaces using firewall rules
- Review LDAP and SAML configurations for any unauthorized changes following potential exposure
Patch Information
Fortinet has released security updates to address this vulnerability. Administrators should upgrade to patched FortiOS versions as specified in the FortiGuard Security Advisory FG-IR-22-223. Organizations should prioritize patching internet-facing FortiOS devices that provide SSL-VPN functionality.
Workarounds
- Implement network segmentation to restrict access to FortiOS SSL-VPN interfaces from untrusted networks
- Enable additional authentication mechanisms where possible to protect sensitive configuration endpoints
- Consider temporarily disabling SSL-VPN functionality if patching cannot be performed immediately
- Monitor for any unauthorized access or configuration changes while awaiting patch deployment
# Verify FortiOS version via CLI
get system status
# Check for SSL-VPN configuration
show vpn ssl settings
# Review access logging configuration
config log setting
show
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
