CVE-2022–40684: New Authentication Bypass Affecting FortiGate and FortiProxy
Written by: anshul vyas
What happened?
The FortiOS (firewall) and FortiProxy (web proxy) software from Fortinet was updated on October 3, 2022, and it was revealed that CVE-2022–40684 is vulnerable to then-current versions. With just a specially crafted HTTP/S request, remote, unauthenticated attackers can bypass authentication and gain access to these products’ administrative interface without authentication. Fortinet vulnerabilities have historically been exploited by threat actors to gain initial access and move laterally within a victim’s environment, according to CISA’s Known Exploited Vulnerabilities Catalog. Based on historical precedent and the privileges obtained by exploiting this vulnerability, Arctic Wolf predicts threat actors will likely develop a proof of concept exploit and exploit it in the near future.
Fixed Version
The vulnerability was resolved by Fortinet’s version 7.0.7 and 7.2.2 releases on Thursday, October 6, 2022. Rapid7 is urging organizations running an affected version of the software to upgrade to 7.07 or 7.2.2 as soon as possible, on an emergency basis, alongside Fortinet. For attackers looking to gain access to internal networks, these products are high-value and high-focus targets. In spite of Rapid7’s awareness of no exploitation of this vulnerability in the wild, we expect attackers to focus on CVE-2022–40684 as soon as possible (such as CVE-2018–13379). Rapid7 recommends limiting public access to administrative interfaces on all high-value edge devices.
Analysis
A remote attacker with access to the management interface of a vulnerable target could disable or override administrator functions through CVE-2022–40684, a critical authentication bypass vulnerability with a CVSSv3 score of 9.6. This vulnerability has not yet been exploited in attacks, according to information currently available. Fortinet has recommended that the vulnerability be fixed “with the utmost urgency” in light of the threat actors’ penchant for targeting FortiOS vulnerabilities.
Conclusion
The company acknowledged the advisory when asked for a comment, but said it would delay public announcement until customers had applied the fixes. “In order to best protect and secure their organizations, it is essential that we communicate with our customers on a regular basis,” the company said in a statement. When communicating with customers, you’ll often find the most current guidance and recommended steps to keep their organization protected and secure. In some cases, customers can receive confidential advance communication on advisories, which will then be made public to a broader audience in the coming days, enabling them to strengthen their security posture. Customer security is our top priority.”
