A critical authentication bypass flaw affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager appliances now has proof-of-concept exploit code available.
Attackers can get around the authentication process on the administrative interface of FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances thanks to this security flaw (CVE-2022-40684).
Last Thursday, Fortinet released security updates to fix this vulnerability. Additionally, it urged clients to “immediately” disable remote management user interfaces on impacted devices in private alerts.
Following the announcement that a CVE-2022-40684 PoC will be made available this week, security researchers from Horizon3.ai today published a proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability.
The authentication bypass flaw is intended to be exploited by the PoC exploit in order to set an SSH key for the user specified when the Python script was launched from the command line.
“Almost anything can be done to the vulnerable system by an attacker using this vulnerability. Changing network configurations, adding new users, and starting packet captures are all examples of this “explained James Horseman, the creator of the Horizon3.ai exploit.
This exploit appears to be consistent with recently identified enterprise software flaws where HTTP headers are incorrectly validated or given an excessive amount of trust.
In addition, previous Horizon3.ai analysis suggests that attackers could further compromise systems by:
modifying the SSH keys of the admin users to allow the attacker to access the infected system.
new local users.
updating networking settings to change traffic routing.
the system configuration being downloaded.
initiating packet captures to record additional delicate system data.
attacked actively using this exploit
Although a publicly disclosed proof-of-concept (PoC) exploit would be sufficient motivation to immediately patch all vulnerable FortiOS, FortiProxy, and FortiSwitchManager appliances, the flaw is also being exploited in ongoing attacks.
Although a Fortinet representative declined to comment when asked by BleepingComputer on Friday if the vulnerability is being actively exploited in the wild, the company said on Monday that it was aware of at least one attack where the vulnerability has been abused.
“Fortinet is aware of a situation in which this vulnerability was exploited, and it advises checking your systems immediately for the following indicator of compromise in the logs of the device: Fortinet reported that user= “Local Process Access”.
All Federal Civilian Executive Branch agencies must patch their Fortinet devices by November 1st in order to stop ongoing attacks, according to CISA, which added CVE-2022-40684 to its list of security flaws known to be exploited in the wild on Tuesday.
On Thursday, the cybersecurity firm GreyNoise also disclosed that it had observed attackers attempting to use CVE-2022-40684 in the wild.
Fortinet warned customers last week in private notifications that “internet facing HTTPS Administration should be immediately disabled until the upgrade can be performed” if these devices couldn’t be updated in a timely manner.
Administrators who are unable to disable vulnerable appliances or apply patches instantly can still use the mitigation strategies shared by Fortinet in this security advisory to protect their servers.
The workarounds involve turning off the HTTP/HTTPS administrative interface or putting a local in policy in place to restrict the IP addresses that are allowed to access the admin interface.
Before installing mitigations or patches, users can confirm if their devices have already been compromised by looking for user=” Local Process Access,” user interface=” Node.js,” or user interface=” Report Runner” in the device logs.
| IR Number | FG-IR-22-377 |
| Date | Oct 10, 2022 |
| Severity |  |
| CVSSv3 Score | 9.6 |
| Impact | Execute unauthorized code or commands |
| CVE ID | CVE-2022-40684 |
| Affected Products | FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0FortiSwitchManager : 7.2.0, 7.0.0 |
PSIRT Advisories
FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface
Summary
An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Exploitation Status:
Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs:
user=”Local_Process_Access”
Please contact customer support for assistance.
Workaround:
FortiOS:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:
config firewall address
edit “my_allowed_addresses”
set subnet <MY IP> <MY SUBNET>
end
Then create an Address Group:
config firewall addrgrp
edit “MGMT_IPs”
set member “my_allowed_addresses”
end
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr “MGMT_IPs”
set dstaddr “all”
set action accept
set service HTTPS HTTP
set schedule “always”
set status enable
next
edit 2
set intf “any”
set srcaddr “all”
set dstaddr “all”
set action deny
set service HTTPS HTTP
set schedule “always”
set status enable
end
If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end
Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.
Please contact customer support for assistance.
FortiProxy:
Disable HTTP/HTTPS administrative interface
OR
For FortiProxy VM all versions or FortiProxy appliance 7.0.6:
Limit IP addresses that can reach the administrative interface (here: port1):
config system interface
edit port1
set dedicated-to management
set trust-ip-1 <MY IP> <MY SUBNET>
end
Please contact customer support for assistance.
FortiSwitchManager:
DIsable HTTP/HTTPS administrative interface
Please contact customer support for assistance.
Affected Products
FortiOS versions 5.x, 6.x are NOT impacted.
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0
Solutions
Please upgrade to FortiOS version 7.2.2 or above
Please upgrade to FortiOS version 7.0.7 or above
Please upgrade to FortiProxy version 7.2.1 or above
Please upgrade to FortiProxy version 7.0.7 or above
Please upgrade to FortiSwitchManager version 7.2.1 or above