CVE-2022-45856

Summary

An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and  both the service provider and the identity provider.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiClientiOS7.0.3 <= 7.0.6affected
FortinetFortiClientiOS7.0.0 <= 7.0.1affected
FortinetFortiClientiOS6.0.0 <= 6.0.1affected
FortinetFortiClientiOS5.6.5 <= 5.6.6affected
FortinetFortiClientiOS5.6.0 <= 5.6.1affected
FortinetFortiClientiOS5.4.3 <= 5.4.4affected
FortinetFortiClientiOS5.4.0 <= 5.4.1affected
FortinetFortiClientiOS5.2.0 <= 5.2.3affected
FortinetFortiClientiOS5.0.0 <= 5.0.3affected
FortinetFortiClientiOS4.0.0 <= 4.0.2affected
FortinetFortiClientiOS2.0.0 <= 2.0.1affected
FortinetFortiClientAndroid7.2.0affected
FortinetFortiClientAndroid7.0.6 <= 7.0.7affected
FortinetFortiClientAndroid7.0.2 <= 7.0.3affected
FortinetFortiClientAndroid7.0.0affected
FortinetFortiClientAndroid6.4.6affected
FortinetFortiClientAndroid6.4.4affected
FortinetFortiClientAndroid6.4.1affected
FortinetFortiClientAndroid6.0.0affected
FortinetFortiClientAndroid5.6.0affected
FortinetFortiClientAndroid5.4.0 <= 5.4.2affected
FortinetFortiClientAndroid5.2.0 <= 5.2.8affected
FortinetFortiClientAndroid5.0.0 <= 5.0.3affected
FortinetFortiClientMac7.2.0 <= 7.2.4affected
FortinetFortiClientMac7.0.0 <= 7.0.13affected
FortinetFortiClientMac6.4.0 <= 6.4.10affected
FortinetFortiClientLinux7.2.0 <= 7.2.4affected
FortinetFortiClientLinux7.0.0 <= 7.0.13affected
FortinetFortiClientLinux6.4.7 <= 6.4.9affected
FortinetFortiClientLinux6.4.0 <= 6.4.4affected
FortinetFortiClientWindows7.0.0 <= 7.0.7affected
FortinetFortiClientWindows6.4.0 <= 6.4.10affected

Weaknesses

  • CWE-295: Information disclosure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References