FortiNet Administrative Authentication bypass

This live blog contains information regarding the FortiNet Administrative Authentication bypass. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 14, 2022.

Update October 14, 2022

11:00 | We updated our blog about the Fortinet Authentication Bypass vulnerability (CVE-2022-40684). As expected, a proof-of-concept exploit has been published by Horizon3. With the publication of the proof-of-concept exploit code, the chance of exploitation by malicious entities increases. Therefore, it is highly recommended to apply the software patches or workaround.

The blog published by Horizon3 regarding the proof-of-concept exploit can be found here: https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/

Update October 13, 2022

17:00 | We updated our blog about the Fortinet Authentication Bypass vulnerability. The vulnerability is registered as CVE-2022-40684 and involves an authentication bypass in the administrative web interface of FortiOS, FortiProxy and FortiSwitchManager.

Fortinet has published a public Security Advisory, and has added FortiSwitchManager to the list of impacted products. Additionally, both Fortinet and IT security company Horizon3 have published steps to detect possible exploitation of CVE-2022-40684. In order to detect exploitation of the vulnerability, specific logging needs to be enabled.

Update October 7, 2022

14:00 | On 6 October 2022, FortiNet released a customer support bulletin in which they describe CVE-2022-40684. This vulnerability is an authentication bypass in the administrative interface of FortiOS and FortiProxy.

FortiNet has published updates patching the vulnerability. It is strongly advised to upgrade as soon as possible.

Limited information is currently available. This blog will be updated when more information becomes available.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

On 6 October 2022, FortiNet released a customer support bulletin in which they describe CVE-2022-40684. This vulnerability is an authentication bypass in the administrative interface of FortiOS and FortiProxy.

Potential Risk

CVE-2022-40684 allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests using an alternate path or channel.

Detail info

Fortinet has added FortiSwitchManager to the list of vulnerable products. The following products are listed by Fortinet as impacted by CVE-2022-40684:

FortiGate – FortiOS version 7.0.0 – 7.0.6 and 7.2.0 – 7.2.1
FortiProxy – Version 7.0.0 – 7.0.6 and 7.2.0
FortiSwitchManager – Version 7.0.0 and 7.2.0

Fortinet has published updates patching the vulnerability. It is strongly advised to upgrade as soon as possible:

FortiGate upgrade to version 7.0.7 or 7.2.2
FortiProxy upgrade to version 7.0.7 or 7.2.1
FortiSwitchManager upgrade to version 7.2.1

When the patch cannot be applied, two possible workarounds are available depending on the product:

limit the IP addresses that can reach the administrative web interface;
disable the administrative web interface.

Detailed instructions for the workaround are provided in the Fortinet Security Advisory.

Both the Fortinet Security Advisory and the Horizon3 blog describe steps to detect exploitation of the vulnerability. This requires the REST API logging to be enabled, which is highly recommended. If the REST API logging was already enabled, monitor the logs for indicators of compromise as described in both the Fortinet Security Advisory and the Horizon3 blog.

Call to action

Call to action:

Determine if your Fortinet product(s) is/are vulnerable;
Apply the available software patches or apply a workaround;
Enable REST API logging. This is also recommended if the patch is installed, or one of the workarounds is applied;
Monitor the log files of the device for indictors of exploitation;
Contact Fortinet Customer Support, Tesorion-SOC or Tesorion-CERT in case indicators of exploitation are identified.

Sources

More information:

Horizon3 blog – proof-of-concept exploit – https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
Proof-of-concept exploit code – https://github.com/horizon3ai/CVE-2022-40684
Fortinet Security Advisory – https://www.fortiguard.com/psirt/FG-IR-22-377
Horizon3 blog – https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
NCSC Advisory – https://advisories.ncsc.nl/advisory?id=NCSC-2022-0630

FortiNet release notes:

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.