Cybersecurity Threat Advisory: Fortinet vulnerability CVE-2022-40684
Fortinet has identified a critical vulnerability tracked as CVE-2022-40684. Upon a successful exploitation, a threat actor can remotely log into devices with FortiGate firewalls or FortiProxy web proxies using an authentication bypass on the administrative interface. Barracuda MSP recommends customers using FortiGate firewalls or FortiProxy to update FortiOS and FortiProxy to the latest available versions as soon as possible to resolve this vulnerability.
What is the threat?
An authentication bypass vulnerability currently exists in the FortiOS versions 7.0.0 to 7.0.6 and 7.2.0 to 7.2.1, and FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0. Attackers can use an alternate path or channel [CWE-88] in FortiOS and FortiProxy to access the administrative interface and perform unauthorized actions via specially crafted HTTP or HTTPS requests. This vulnerability has been categorized as critical.
Why is it noteworthy?
This vulnerability impacts every organization who uses FortiGate firewalls or FortiProxy web proxies on their devices. The vulnerability doesn’t require any authentication to exploit, meaning a threat actor can easily access administrative permissions remotely. When news of a severe critical vulnerability becomes public, attackers will accelerate their attacks, while the attack window is still available. Currently, there are more than 100,000 FortiGate firewalls reachable from the Internet. Since the vulnerability can be exploited remotely, this means there are a significant number of devices that are currently exposed.
What is the exposure or risk?
When exploited, this vulnerability allows a remote attacker to gain unauthorized access to administrator operations in devices running FortiOS versions 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1, and FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0. The primary danger of this exploit is privilege escalation. These privileges can be used to laterally move across devices, delete files, view private information, and install malicious programs. The potential damage is monumental including permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and even a potential ransomware event.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of this vulnerability:
- Upgrade FortiOS/FortiProxy to versions 7.0.7 or 7.2.2 immediately
- If you are unable to immediately deploy security updates, limit the IP addresses that can reach the administrative interface using a local-in-policy
- Limit public access to all high-value edge devices to any administrative interface
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/
- https://www.darkreading.com/vulnerabilities-threats/patch-now-fortinet-fortigate-and-fortiproxy-contain-critical-vuln
- https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/
- https://securityaffairs.co/wordpress/136786/security/fortinet-critical-flaw.html
- https://cbcns.live/2022/10/fortinet-fortigate-fortiproxy-contain-critical-vuln/
If you have any questions, please contact our Security Operations Center.