Authentication bypass found in FortiOS management interface

Target Industry

Affects everyone.

Overview

Fortinet has released a patch for a critical vulnerability (CVE-2022-40684) in their products which is being exploited in the wild.

The bug affects the HTTP/HTTPS management interface for FortiOS FortiProxy and FortiSwitchManager.

Impact

An attacker with network level access to the management interface can bypass authentication requirements and perform administrative actions.

Vulnerability Detection

Check for the following string in user logs which indicates successful exploitation:

user=”Local_Process_Access”

Affected Products

FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0

Containment, Mitigations & Remediations

Fortinet recommend an immediate update or to disable the HTTP/HTTPS management interface.

Where this is not possible, ensure the management interface is not internet-facing and restrict access to approved IPs. Further information on mitigations is provided in their advisory

Fortinet also provides a hardening guide with generic advice on securing their devices.

Indicators of Compromise

None listed.

Threat Landscape

Fortinet reports “an instance” where this vulnerability was exploited in the wild.

Now that the patch has been released, it is likely that threat actors will soon be able to reverse engineer the patch to find out how the vulnerability works.

Threat Group

Initial discovery unknown.

Will be used by opportunistic actors.

Mitre Methodologies

– T1068 – Exploitation for Privilege Escalation
– T1210 – Exploitation of Remote Services

Further Information

FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface