FortiOS - Authentication Bypass CVE-2022-40684

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

• On October 10, 2022, Fortinet released a PSIRT advisory on CVE-2022-40684, an authentication bypass vulnerability impacting FortiOS, FortiProxy and FortiSwitchManager. The vulnerability was given a CVSS score of 9.6 and was actively exploited at time of disclosure.
• Fortinet privately notified customers in the days preceding the public disclosure. Successful exploitation would grant attackers the ability to fetch system configuration files and create super admin accounts on FortiOS devices (among other actions).
• On October 13, 2022, the Proof-of-Concept code was released by the Horizon3 Attack Team.
• eSentire’s Threat Response Unit (TRU) identified successful exploitation of CVE-2022-40684 on approximately 7% of customers ingesting Fortinet logs to our MDR for Log service.

How did we find it?

Based on Fortinet’s advisory and details shared by Horizon3, it was noted that malicious activity would appear in devices logs originating from the Local_Process_Access user and would utilize either the Node.js or ReportRunner user interfaces.

TRU initiated threat hunts across MDR for Log telemetry for the above patterns using a query like the one below:

"Local_Process_Access" AND ("Report Runner" OR "node.js")

The resulting logs raised immediate suspicion as they contained verbiage around uploading and running scripts, downloading certificates, and adding system admin users to the device. Some examples include:

• "Local Certificate (CER) file has been downloaded by user Local_Process_Access via Node.js"
• "User Local_Process_Access via Node.js upload and run script: script.txt -- OK"
• "Edit system.admin fortigate-tech-support"

A further review of captured logs (Figures 1 and 2) confirmed the activity was associated with exploitation of CVE-2022-40684.

Figure 1 Fortinet log for super_admin account "fortigate-tech-support" creation.

Figure 2 Fortinet log for script execution of "script.txt"

Successful exploitation was identified at approximately 7% of customers ingesting Fortinet logs into our MDR for Log service. The earliest exploitation activity took place on October 9, 2022, where attackers retrieved system configuration files.

The first backdoor account creation occurred on October 12, 2022. Here is a list of the unique backdoor accounts observed across client devices:

• fortigate-tech-support
• fortigate-support-user
• webadmin
• it.admin38

• it.admin73
• fortinet_admin

What did we do?

• TRU worked with eSentire’s team of 24/7 SOC Cyber Analysts to notify impacted customers and initiate investigation and cleanup.
• We also deployed the detection content for CVE-2022-40684 to all MDR for Log customers.

What can you learn from this TRU Positive?

• Exploits for networking appliances are valuable given vulnerable interfaces are publicly accessible as part of normal operation.
• These appliances often provide a gateway into the network for further exploitation of internal systems. This vulnerability highlights the importance of ingesting logs from critical infrastructure and perimeter defenses even if threat detection capabilities & content are sparse at the time.

Recommendations from our Threat Response Unit (TRU):

• Review super admin account creation dates. If a super admin account was created recently without your team’s knowledge, consider this suspicious and remove the super admin account created on the Fortigate systems.

• Apply vendor provided patches to remediate the issue.
• If patching is not possible, implement a mitigation by either disabling the HTTP/HTTPS administrative interface OR creating a list of allowed IP addresses that can access the HTTP/HTTPS administrative interface.
• Review Fortigate logs to identify compromise. In addition to the known backdoor super_admin accounts listed above, query for the string "Local_Process_Access" in combination with either of the following strings "Node.js", or “Report Runner". If found, evaluate the message detail associated to determine the action performed.

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.