Get in Touch
Authentication bypass found in FortiOS management interface
Target Industry
Affects everyone.
Overview
Fortinet has released a patch for a critical vulnerability (CVE-2022-40684) in their products which is being exploited in the wild.
The bug affects the HTTP/HTTPS management interface for FortiOS FortiProxy and FortiSwitchManager.
Impact
An attacker with network level access to the management interface can bypass authentication requirements and perform administrative actions.
Vulnerability Detection
Check for the following string in user logs which indicates successful exploitation:
user=”Local_Process_Access”
Affected Products
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0
Containment, Mitigations & Remediations
Fortinet recommend an immediate update or to disable the HTTP/HTTPS management interface.
Where this is not possible, ensure the management interface is not internet-facing and restrict access to approved IPs. Further information on mitigations is provided in their advisory
Fortinet also provides a hardening guide with generic advice on securing their devices.
Indicators of Compromise
None listed.
Threat Landscape
Fortinet reports “an instance” where this vulnerability was exploited in the wild.
Now that the patch has been released, it is likely that threat actors will soon be able to reverse engineer the patch to find out how the vulnerability works.
Threat Group
Initial discovery unknown.
Will be used by opportunistic actors.
Mitre Methodologies
– T1068 – Exploitation for Privilege Escalation
– T1210 – Exploitation of Remote Services
Further Information
FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface