CVE-2022-40684 is a critical authentication bypass vulnerability that received a CVSSv3 score of 9.6. By sending specially crafted HTTP or HTTPS requests to a vulnerable target, a remote attacker with access to the management interface could perform administrator operations.
The recent FortiOS / FortiProxy / FortiSwitchManager CVE has been reportedly exploited in the wild. Please find below indicators of compromise (IoCs) that customers can use to check if their appliances have been affected:
- user=”Local_Process_Access”
- user_interface=”Node.js”
- user_interface=”Report Runner”
Affected Devices:
- FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiSwitchManager : 7.2.0, 7.0.0
Kindly proceed with the suggested mitigation actions and apply the relevant patches.
If you cannot apply patches immediately, Fortinet states that using a local-in-policy to limit access to the management interface. Fortinet also includes steps on disabling administrative access to the internet facing interface and steps on restricting access to trusted hosts in their FortiGate Hardening Guide.
References:
- https://www.fortiguard.com/psirt/FG-IR-22-377
- https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/
- https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
