Fortinet Critical Authentication Bypass Vulnerability
Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:
A new vulnerability which has recently been patched by Fortinet is being exploited in the wild. A critical authentication bypass vulnerability on the administrator interface allows threat actors to login to FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager remotely.
Read more about the CVE detail here: CVE-2022-40684
The CVSS (Common Vulnerability Scoring System) Severity Score has been rated as: 9.6 (critical)
An advisory notice released by Fortinet gave further information, by using specially crafted HTTP or HTTPs requests an attacker could perform actions remotely in the administrator interface without authentication. Fortinet recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access,”.
A list of vulnerable products (if left unpatched) can be found below:
- FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiSwitchManager : 7.2.0, 7.0.0
To mitigate against this vulnerability, Fortinet has released security patches and recommends that customers update their devices as soon as possible to defender against attacks.
Patched versions are:
- FortiOS 7.0.7 and above
- FortiOS 7.2.2 and above
- FortiProxy 7.0.7 and above
- FortiProxy 7.2.1 and above
- FortiSwitchManager 7.2.1 and above
If it is not possible to immediately deploy the security updates, then there is also a workaround. Admins should disable HTTP/HTTPS administrative interface or limit the IP addresses that can reach the administrative interface using a Local in Policy. More information on the workaround can be found in the PSIRT advisory from Fortinet
If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.
If you need any support in mitigating any risks this vulnerability may have on your business, please don’t hesitate to get in contact.