A critical authentication bypass flaw affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager appliances now has proof-of-concept exploit code available.

Attackers can get around the authentication process on the administrative interface of FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances thanks to this security flaw (CVE-2022-40684).

Last Thursday, Fortinet released security updates to fix this vulnerability. Additionally, it urged clients to “immediately” disable remote management user interfaces on impacted devices in private alerts.

Following the announcement that a CVE-2022-40684 PoC will be made available this week, security researchers from Horizon3.ai today published a proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability.

The authentication bypass flaw is intended to be exploited by the PoC exploit in order to set an SSH key for the user specified when the Python script was launched from the command line.

“Almost anything can be done to the vulnerable system by an attacker using this vulnerability. Changing network configurations, adding new users, and starting packet captures are all examples of this “explained James Horseman, the creator of the Horizon3.ai exploit.

This exploit appears to be consistent with recently identified enterprise software flaws where HTTP headers are incorrectly validated or given an excessive amount of trust.

In addition, previous Horizon3.ai analysis suggests that attackers could further compromise systems by:

modifying the SSH keys of the admin users to allow the attacker to access the infected system.
new local users.
updating networking settings to change traffic routing.
the system configuration being downloaded.
initiating packet captures to record additional delicate system data.

attacked actively using this exploit
Although a publicly disclosed proof-of-concept (PoC) exploit would be sufficient motivation to immediately patch all vulnerable FortiOS, FortiProxy, and FortiSwitchManager appliances, the flaw is also being exploited in ongoing attacks.

Although a Fortinet representative declined to comment when asked by BleepingComputer on Friday if the vulnerability is being actively exploited in the wild, the company said on Monday that it was aware of at least one attack where the vulnerability has been abused.

“Fortinet is aware of a situation in which this vulnerability was exploited, and it advises checking your systems immediately for the following indicator of compromise in the logs of the device: Fortinet reported that user= “Local Process Access”.

All Federal Civilian Executive Branch agencies must patch their Fortinet devices by November 1st in order to stop ongoing attacks, according to CISA, which added CVE-2022-40684 to its list of security flaws known to be exploited in the wild on Tuesday.

On Thursday, the cybersecurity firm GreyNoise also disclosed that it had observed attackers attempting to use CVE-2022-40684 in the wild.

Fortinet warned customers last week in private notifications that “internet facing HTTPS Administration should be immediately disabled until the upgrade can be performed” if these devices couldn’t be updated in a timely manner.

Administrators who are unable to disable vulnerable appliances or apply patches instantly can still use the mitigation strategies shared by Fortinet in this security advisory to protect their servers.

The workarounds involve turning off the HTTP/HTTPS administrative interface or putting a local in policy in place to restrict the IP addresses that are allowed to access the admin interface.

Before installing mitigations or patches, users can confirm if their devices have already been compromised by looking for user=” Local Process Access,” user interface=” Node.js,” or user interface=” Report Runner” in the device logs.

IR Number	FG-IR-22-377
Date	Oct 10, 2022
Severity	Critical
CVSSv3 Score	9.6
Impact	Execute unauthorized code or commands
CVE ID	CVE-2022-40684
Affected Products	FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0FortiSwitchManager : 7.2.0, 7.0.0

PSIRT Advisories

FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface

Summary

An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Exploitation Status:

Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs:

user=”Local_Process_Access” 

Please contact customer support for assistance.

Workaround:

FortiOS:

Disable HTTP/HTTPS administrative interface

OR

Limit IP addresses that can reach the administrative interface:

config firewall address

edit “my_allowed_addresses”

set subnet <MY IP> <MY SUBNET>

end

Then create an Address Group:

config firewall addrgrp

edit “MGMT_IPs”

set member “my_allowed_addresses”

end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy

edit 1

set intf port1

set srcaddr “MGMT_IPs”

set dstaddr “all”

set action accept

set service HTTPS HTTP

set schedule “always”

set status enable

next

edit 2

set intf “any”

set srcaddr “all”

set dstaddr “all”

set action deny

set service HTTPS HTTP

set schedule “always”

set status enable

end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom

edit GUI_HTTPS

set tcp-portrange <admin-sport>

next

edit GUI_HTTP

set tcp-portrange <admin-port>

end

Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.

Please contact customer support for assistance.

FortiProxy:

Disable HTTP/HTTPS administrative interface

OR

For FortiProxy VM all versions or FortiProxy appliance 7.0.6:

Limit IP addresses that can reach the administrative interface (here: port1):

config system interface

edit port1

set dedicated-to management

set trust-ip-1 <MY IP> <MY SUBNET>

end

Please contact customer support for assistance.

FortiSwitchManager:

DIsable HTTP/HTTPS administrative interface

Please contact customer support for assistance.

Affected Products

FortiOS versions 5.x, 6.x are NOT impacted.
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0

Solutions

Please upgrade to FortiOS version 7.2.2 or above
Please upgrade to FortiOS version 7.0.7 or above
Please upgrade to FortiProxy version 7.2.1 or above
Please upgrade to FortiProxy version 7.0.7 or above
Please upgrade to FortiSwitchManager version 7.2.1 or above