FortiNet Administrative Authentication bypass
This live blog contains information regarding the FortiNet Administrative Authentication bypass. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 14, 2022.
T-Update
This live blog contains information regarding the FortiNet Administrative Authentication bypass. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 14, 2022.
Update October 14, 2022
11:00 | We updated our blog about the Fortinet Authentication Bypass vulnerability (CVE-2022-40684). As expected, a proof-of-concept exploit has been published by Horizon3. With the publication of the proof-of-concept exploit code, the chance of exploitation by malicious entities increases. Therefore, it is highly recommended to apply the software patches or workaround.
The blog published by Horizon3 regarding the proof-of-concept exploit can be found here: https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
Update October 13, 2022
17:00 | We updated our blog about the Fortinet Authentication Bypass vulnerability. The vulnerability is registered as CVE-2022-40684 and involves an authentication bypass in the administrative web interface of FortiOS, FortiProxy and FortiSwitchManager.
Fortinet has published a public Security Advisory, and has added FortiSwitchManager to the list of impacted products. Additionally, both Fortinet and IT security company Horizon3 have published steps to detect possible exploitation of CVE-2022-40684. In order to detect exploitation of the vulnerability, specific logging needs to be enabled.
Update October 7, 2022
14:00 | On 6 October 2022, FortiNet released a customer support bulletin in which they describe CVE-2022-40684. This vulnerability is an authentication bypass in the administrative interface of FortiOS and FortiProxy.
FortiNet has published updates patching the vulnerability. It is strongly advised to upgrade as soon as possible.
Limited information is currently available. This blog will be updated when more information becomes available.
Background
On 6 October 2022, FortiNet released a customer support bulletin in which they describe CVE-2022-40684. This vulnerability is an authentication bypass in the administrative interface of FortiOS and FortiProxy.
Risk
CVE-2022-40684 allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests using an alternate path or channel.
Advice
Fortinet has added FortiSwitchManager to the list of vulnerable products. The following products are listed by Fortinet as impacted by CVE-2022-40684:
- FortiGate – FortiOS version 7.0.0 – 7.0.6 and 7.2.0 – 7.2.1
- FortiProxy – Version 7.0.0 – 7.0.6 and 7.2.0
- FortiSwitchManager – Version 7.0.0 and 7.2.0
Fortinet has published updates patching the vulnerability. It is strongly advised to upgrade as soon as possible:
- FortiGate upgrade to version 7.0.7 or 7.2.2
- FortiProxy upgrade to version 7.0.7 or 7.2.1
- FortiSwitchManager upgrade to version 7.2.1
When the patch cannot be applied, two possible workarounds are available depending on the product:
- limit the IP addresses that can reach the administrative web interface;
- disable the administrative web interface.
Detailed instructions for the workaround are provided in the Fortinet Security Advisory.
Both the Fortinet Security Advisory and the Horizon3 blog describe steps to detect exploitation of the vulnerability. This requires the REST API logging to be enabled, which is highly recommended. If the REST API logging was already enabled, monitor the logs for indicators of compromise as described in both the Fortinet Security Advisory and the Horizon3 blog.
Call to action:
- Determine if your Fortinet product(s) is/are vulnerable;
- Apply the available software patches or apply a workaround;
- Enable REST API logging. This is also recommended if the patch is installed, or one of the workarounds is applied;
- Monitor the log files of the device for indictors of exploitation;
- Contact Fortinet Customer Support, Tesorion-SOC or Tesorion-CERT in case indicators of exploitation are identified.
Sources
More information:
- Horizon3 blog – proof-of-concept exploit – https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
- Proof-of-concept exploit code – https://github.com/horizon3ai/CVE-2022-40684
- Fortinet Security Advisory – https://www.fortiguard.com/psirt/FG-IR-22-377
- Horizon3 blog – https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
- NCSC Advies – https://advisories.ncsc.nl/advisory?id=NCSC-2022-0630
FortiNet release notes:
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
