Fortinet FortiOS, FortiProxy, and FortiSwitch Manager Authentication Bypass Vulnerability under Active Exploitation

Fortinet strongly recommends customers take urgent and immediate action after reports of exploitation

Threat ID:: CC-4192
Threat Severity:: High
Threat Vector:: Exploit
Published:: 17 October 2022 2:33 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Fortinet strongly recommends customers take urgent and immediate action after reports of exploitation

Affected platforms

The following platforms are known to be affected:

Versions: 7.2.0 to 7.2.1, 7.0.0 to 7.0.6

Fortinet FortiOS

FortiOS versions 5.x, 6.x are NOT impacted.

Versions: 7.2.0, 7.0.0 to 7.0.6

Fortinet FortiProxy

Versions: FortiSwitch Manager 7.2.0, FortiSwitch Manager 7.0.0

Fortinet FortiSwitch

Threat details

Introduction

Fortinet has released a security advisory to address CVE-2022-40684, an authentication bypass vulnerability on the administrative interface of FortiOS, FortiProxy, and FortiSwitch Manager. CVE-2022-40684 has a CVSSv3 score of 9.6.

An unauthenticated, remote attacker could send a specially crafted HTTP or HTTPS request to exploit this vulnerability, which could allow the attacker to perform operations on the administrative interface and take control of the system.

Exploitation in the wild for CVE-2022-40684

Where organisations have found evidence of compromise they should call 0300 303 5222 or email [email protected] immediately.

Fortinet warns that the vulnerability CVE-2022-40684 is being widely exploited and recommends immediately validating your systems against the indicators of compromise listed below in this Cyber Alert.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-40684 to their Known Exploited Vulnerabilities Catalog. A proof-of-concept has also been made public by Horizon3.ai.

The National Cyber Security Centre for Ireland have stated "The NCSC strongly advises affected organisations to upgrade to 7.07 or 7.22 immediately. Patching the vulnerability alone is not sufficient. Organisations should verify the integrity of affected platforms through examination of logs for evidence of successful exploitation."

Remediation advice

Affected organisations must:

Review Fortinet's Product Security Incident Response Team (PSIRT) advisory FG-IR-22-377
Apply relevant updates as soon as practicable
Validate your systems against any of the following indicators of compromise in the device’s logs:

user="Local_Process_Access"

user_interface="Report Runner"

user_interface="Node.js"

Where organisations have found evidence of compromise they should call 0300 303 5222 or email [email protected] immediately.

Definitive source of threat updates

CVE Vulnerabilities

Status Reserved

CVE-2022-40684

Last edited: 17 October 2022 2:33 pm