www.belgium.be Logo of the federal government

Authentication Bypass vulnerability in FortiOS products (FortiGate & FortiProxy)

Reference: 
Advisory #2022-028
Version: 
2.0
Affected software: 
Fortinet FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
Fortinet FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0
Type: 
Authentication bypass
CVE/CVSS: 

CVE-2022-40684

Sources

FortiOS Release Notes | FortiGate / FortiOS 7.2.2 | Fortinet Documentation Library

https://support.fortinet.com/Information/Bulletin.aspx

 

Risks

Fortinet is advising it’s customers on a high severity vulnerability in their products Fortigate and Fortiproxy

Successful exploitation of CVE-2022-40684 can lead to authentication bypass and allow attackers to perform operations on the administrative interface.

The attack does not require any user interaction and can be executed remotely. The impact to confidentiality, integrity and availability is high.
 
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.

Proof of concepts and automation tools are available online which makes exploiting CVE-2022-40684 easier.

Exploitations of CVE-2022-40684 are seen in the wild. Threat actors are selling leaked credentials and backdoors, that are installed after exploitation of CVE-2022-40684, on cybercrime forums. Organisations are still at risk for additional attacks if CVE-2022-40684 was exploited (backdoors installed/users created/credentials stolen) before organisations patched. The CCB recommends to verify if the server wasn’t compromised before the patch was installed. https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

 

Description

On the 6th of October Fortinet published on the Customer Support Bulletin CSB-221006-1: “Authentication bypass on administrative interface (http/https)”. This advisory details CVE-2022-40684:

A remote unauthenticated attacker could bypass the Authentication on a publicly exposed administrative interface on Fortigate and Fortiproxy. Using CWE-88 (1) (alternate path or channel) the attacker may perform operations on the administrative interface via specially crafted HTTP or HTPPS request

Recommended Actions

Upgrade

Always ensure your systems are up to date.

  • Fortigate: upgrade to FortiOS version 7.0.7 or 7.2.2
  • FortiProxy: upgrade to FortiOS version 7.0.7 or 7.2.1

Mitigate/workaround

  • Customers can protect themselves from external attackers by ensuring their Administrative interface is not exposed to WAN.
  • Disable WAN access to the Administrative interface by following device access best practices and instead use a VPN for remote access and management.

Monitor/Detect
 
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.

The CCB recommends to verify if the server wasn’t compromised before the patch was installed. https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684

 

 

References

(1) CWE - CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (4.8) (mitre.org)

https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684