Fortinet has patched a slew of security flaws in many of its endpoint security products.
On Tuesday, the California-based cybersecurity behemoth, which accounts for more than a third of all firewall and unified threat management deployments globally, published a massive number of firmware and software upgrades (July 5).
Multiple relative route traversal faults in FortiDeceptor's administrative interface, which sets up virtual computers that act as honeypots for network intruders, are among a quartet of high-severity problems (CVE-2022-30302).
According to the accompanying Fortinet alert, abusing these may permit a remote and authorised attacker to obtain and delete arbitrary files from the underlying filesystem using carefully crafted web requests.
Similarly, path traversal in the named pipe responsible for the FortiESNAC service might allow attackers to gain privilege escalation in Windows versions of the endpoint security and VPN application FortiClient (CVE-2021-41031).
Meanwhile, the FortiNAC network access control system was vulnerable to a "empty password in configuration file vulnerability," which allowed an authorised attacker to access the MySQL databases via the command line interface (CLI) (CVE-2022-26117).
Additional flaws
The other high severity issue, which affects the FortiAnalyzer security event analysis appliance, the FortiManager network management device, the FortiOS operating system, and the FortiProxy web proxy, "may allow a privileged attacker to execute arbitrary code or command via crafted CLI 'execute restore image' and 'execute certificate remote' TFTP protocol operations" (CVE-2021-43072).
Meanwhile, FortiEDR endpoint security solution cross-site scripting (XSS) vulnerabilities (CVE-2022-29057); a privilege escalation issue in FortiManager and FortiAnalyzer (CVE-2022-26118); and stack-based buffer overflows in diagnostic CLI commands impacting FortiOS and FortiProxy (CVE-2022-26118) (CVE-2021-44170).
The sixth and final medium severity problem affects FortiOS, FortiProxy, FortiSwitch ethernet switches, the FortiRecoder video surveillance system, and the FortiVoiceEnterprise communications system (CVE-2021-42755).
Last but not least, a low severity XSS vulnerability impacts FortiOS (CVE-2022-23438).
