Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
eSentire will be a sponsor at the Seattle CyberSecurity Conference.
eSentire will be a Sponsor at the NetDiligence Cyber Risk Summit in…
eSentire will be presenting and is a Gold Sponsor at the CyberRisk…
THE THREAT
On October 10th, Fortinet publicly disclosed a critical vulnerability impacting multiple Fortinet products; the vulnerability was confirmed to be under active exploitation at the time of disclosure. The vulnerability is tracked as CVE-2022-40684 (CVSS: 9.6); it is an authentication bypass on administrative interface vulnerability that impacts FortiOS, FortiProxy, and FortiSwitchManager. Successfully exploiting CVE-2022-40684 would allow a remote and unauthenticated threat actor to log into vulnerable on-premises management instances via specially crafted HTTP or HTTPS requests.
On October 13th, a technical report on the vulnerability and functional Proof-of-Concept (POC) exploit code were released. The eSentire Threat Intelligence team assesses with high confidence that the publication of this information will increase real-world attacks in the immediate future. As exploitation is ongoing and expected to increase, impacted organizations are strongly urged to apply the relevant security patches or mitigations immediately.
What we’re doing about it
What you should do about it
Additional information
Details on real-world attacks exploiting CVE-2022-40684 have not been made public yet. However, as noted above, there are a number of publicly available proof of concepts to exploit the vulnerability available on code repositories. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
The technical blog outlines how using the Forwarded header, an attacker can set the client_ip to “127.0.0.1.” The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.
Impacted Products:
References:
[1] https://www.fortiguard.com/psirt/FG-IR-22-377
[2] https://github.com/horizon3ai/CVE-2022-40684
[3] https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/