Lucene search

K
rapid7blogGlenn ThorpeRAPID7BLOG:4E867F9E4F1818A4F797C0C8A1E26598
HistoryOct 07, 2022 - 4:24 p.m.

CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies

2022-10-0716:24:42
Glenn Thorpe
blog.rapid7.com
4846

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On October 3, 2022, Fortinet released a software update that indicates then-current versions of their FortiOS (firewall) and FortiProxy (web proxy) software are vulnerable to CVE-2022-40684, a critical vulnerability that allows remote, unauthenticated attackers to bypass authentication and gain access to the administrative interface of these products with only a specially crafted http/s request.

According to communications from Fortinet that were shared on social media, Fortinet “is strongly recommending all customers with vulnerable versions to perform an immediate upgrade.”

Affected products

  • FortiOS 7.0.0 to 7.0.6
  • FortiOS 7.2.0 to 7.2.1
  • FortiProxy 7.0.0 to 7.0.6
  • FortiProxy 7.2.0
  • FortiSwitchManager 7.0.0
  • FortiSwitchManager 7.2.0

Remediation

On Thursday, October 6, 2022, Fortinet released version 7.0.7 and version 7.2.2, which resolve the vulnerability.

Along with Fortinet, Rapid7 strongly recommends that organizations who are running an affected version of the software upgrade to 7.07 or 7.2.2 immediately, on an emergency basis. These products are edge devices, which are high-value and high-focus targets for attackers looking to gain internal network access. Using prior FortiOS vulnerabilities as in indicator (such as CVE-2018-13379) we expect attackers to focus on CVE-2022-40684 quickly and for quite some time.

Update: On October 10, 2022, Fortinet released advisory FG-IR-22-377 detailing more about the vulnerability as well as confirming known exploitation.

> Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs:
user="Local_Process_Access"

Furthermore, Rapid7 recommends that all high-value edge devices limit public access to any administrative interface.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-40684 on FortiOS via an authenticated scan with a content update released on October 7, 2022.

Updates

10/07/2022 13:30 ET: Updated InsightVM/Nexpose check information.
10/11/2022 10:40 ET: Updated affected products, exploitation, and vulnerability information from Fortinet’s advisory.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Subscribe

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N