CVE-2022-40684: Critical Authentication Bypass Vulnerability in Fortinet Products

Summary

A new critical authentication bypass vulnerability affecting the web admin console for FortiOS and FortiProxy. Threat actors can easily exploit the vulnerability with a crafted HTTP request.
Category: Vulnerability Intelligence Vulnerability Class: Authentication Bypass CVE ID: CVE-2022-40684 CVSS:3.0 Score: 9.6

Executive Summary

THREAT IMPACT MITIGATION
  • A new critical authentication bypass vulnerability affecting the web admin console for FortiOS and FortiProxy
  • Threat actors can easily exploit the vulnerability with a crafted HTTP request.
  • The vulnerability can be leveraged to take over the admin console.
  • Access can lead to the disclosure of sensitive data
  • A recent development also suggests that the vulnerability can lead to complete server compromise.
  • Update to the latest versions:
    • FortiOS: 7.0.7 or 7.2.2 or above
    • FortiProxy: 7.0.7 or 7.2.1
  • If an upgrade is not possible following the official workaround of whitelisting the IP addresses that can reach the administrative interface using a ‘local-in-policy’

Investigative Analysis

  • CloudSEK’s Threat Research team conducted an investigation to understand CVE-2022-40684, the latest authentication bypass vulnerability in FortiOS and FortiProxy
  • An attacker can exploit this vulnerability with a crafted HTTP request to take over the administrative interfaces of these products.
  • The vulnerability was disclosed in an update on 6 October 2022.
  • Fortinet has publicly admitted that they have not released any advisory yet as they want to give their customers ample time to patch or implement workarounds.
  • As of now, there are no publicly available exploits and no exploitation attempt has been detected.
  • However, this scenario is expected to change as soon as a viable exploit is created by threat actors and security researchers.
  • Threat actor groups have previously been observed attempting to exploit a variety of Fortinet vulnerabilities, including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

Affected Products

  • The following table lists the Fortinet products and their versions affected by this vulnerability.
SNo. Product Name Affected Versions Updated versions
1. FortiOS 7.0.0 - 7.0.6 and 7.2.0 - 7.2.1 7.0.7 or 7.2.2
2. FortiProxy 7.0.0 - 7.0.6 and 7.2.0 7.0.7 or 7.2.1

Information from OSINT

While conducting an open source investigation the following was uncovered:
  • Multiple security teams have already created a working exploit for the vulnerability.
  • As mentioned in the following Tweet, one of them is going to release a detailed blog and POC later this week. Working exploits like these will aid the threat actors.
Screenshot of Tweet mentioning the release of the exploit for CVE-2022-40684
Screenshot of Tweet mentioning the release of the exploit for CVE-2022-40684
 

Information from Shodan

A simple Shodan search suggests that Fortinet is used by a large number of organizations worldwide.
Screenshot of Shodan search results
Screenshot of Shodan search results
 

References

 

Table of Contents

Request an easy and customized demo for free