Authentication Bypass vulnerability in FortiOS products (FortiGate & FortiProxy)
CVE-2022-40684
Sources
FortiOS Release Notes | FortiGate / FortiOS 7.2.2 | Fortinet Documentation Library
https://support.fortinet.com/Information/Bulletin.aspx
Risks
Fortinet is advising it’s customers on a high severity vulnerability in their products Fortigate and Fortiproxy
Successful exploitation of CVE-2022-40684 can lead to authentication bypass and allow attackers to perform operations on the administrative interface.
The attack does not require any user interaction and can be executed remotely. The impact to confidentiality, integrity and availability is high.
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
Proof of concepts and automation tools are available online which makes exploiting CVE-2022-40684 easier.
Exploitations of CVE-2022-40684 are seen in the wild. Threat actors are selling leaked credentials and backdoors, that are installed after exploitation of CVE-2022-40684, on cybercrime forums. Organisations are still at risk for additional attacks if CVE-2022-40684 was exploited (backdoors installed/users created/credentials stolen) before organisations patched. The CCB recommends to verify if the server wasn’t compromised before the patch was installed. https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
Description
On the 6th of October Fortinet published on the Customer Support Bulletin CSB-221006-1: “Authentication bypass on administrative interface (http/https)”. This advisory details CVE-2022-40684:
A remote unauthenticated attacker could bypass the Authentication on a publicly exposed administrative interface on Fortigate and Fortiproxy. Using CWE-88 (1) (alternate path or channel) the attacker may perform operations on the administrative interface via specially crafted HTTP or HTPPS request
Recommended Actions
Upgrade
Always ensure your systems are up to date.
- Fortigate: upgrade to FortiOS version 7.0.7 or 7.2.2
- FortiProxy: upgrade to FortiOS version 7.0.7 or 7.2.1
Mitigate/workaround
- Customers can protect themselves from external attackers by ensuring their Administrative interface is not exposed to WAN.
- Disable WAN access to the Administrative interface by following device access best practices and instead use a VPN for remote access and management.
Monitor/Detect
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.
The CCB recommends to verify if the server wasn’t compromised before the patch was installed. https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684
References
https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684