Actively Exploited Fortinet Authentication Bypass Vulnerability - CVE-2022-40684

THE THREAT

On October 10th, Fortinet publicly disclosed a critical vulnerability impacting multiple Fortinet products; the vulnerability was confirmed to be under active exploitation at the time of disclosure. The vulnerability is tracked as CVE-2022-40684 (CVSS: 9.6); it is an authentication bypass on administrative interface vulnerability that impacts FortiOS, FortiProxy, and FortiSwitchManager. Successfully exploiting CVE-2022-40684 would allow a remote and unauthenticated threat actor to log into vulnerable on-premises management instances via specially crafted HTTP or HTTPS requests.

On October 13th, a technical report on the vulnerability and functional Proof-of-Concept (POC) exploit code were released. The eSentire Threat Intelligence team assesses with high confidence that the publication of this information will increase real-world attacks in the immediate future. As exploitation is ongoing and expected to increase, impacted organizations are strongly urged to apply the relevant security patches or mitigations immediately.

What we’re doing about it

• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2022-40684
• eSentire is currently evaluating eSentire MDR for Network detections for CVE-2022-40684
  • Detections will be deployed after validation
• eSentire security teams are tracking this vulnerability for additional details and detection opportunities

What you should do about it

• Fortinet has released both security patches and alternative mitigations to address this vulnerability. Organizations are strongly recommended to apply the security patches as soon as possible, as exploitation is ongoing. If patching is not immediately possible, it is recommended that organizations apply the alternative mitigations.
  • Upgrade FortiOS version 7.2.0 through 7.2.1 to version 7.2.2
  • Upgrade FortiOS version 7.0.0 through 7.0.6 to version 7.0.7 or above
  • Upgrade FortiProxy version 7.2.0 to FortiProxy version 7.2.1 or above
  • Upgrade FortiProxy version 7.0.0 through 7.0.6 to FortiProxy version 7.0.7 or above
  • Upgrade FortiSwitchManager version 7.2.0 to version 7.2.1 or above
  • Upgrade FortiSwitchManager version 7.0.0 to version 7.0.71 or above
• To block remote attackers from bypassing authentication and logging into vulnerable devices, admins should disable HTTP/HTTPS administrative interface or limit the IP addresses that can reach the administrative interface using a Local in Policy.

Additional information

Details on real-world attacks exploiting CVE-2022-40684 have not been made public yet. However, as noted above, there are a number of publicly available proof of concepts to exploit the vulnerability available on code repositories. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.

The technical blog outlines how using the Forwarded header, an attacker can set the client_ip to “127.0.0.1.” The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.

Impacted Products:

• FortiOS versions 5.x, 6.x are NOT impacted.
• FortiOS version 7.2.0 through 7.2.1
• FortiOS version 7.0.0 through 7.0.6
• FortiProxy version 7.2.0
• FortiProxy version 7.0.0 through 7.0.6
• FortiSwitchManager version 7.2.0
• FortiSwitchManager version 7.0.0

References:

[1] https://www.fortiguard.com/psirt/FG-IR-22-377
[2] https://github.com/horizon3ai/CVE-2022-40684
[3] https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/