Fortinet warned about a critical authentication bypass vulnerability affecting FortiSwitchManager (FSWM), FortiGate firewall, and FortiProxy web proxy.
The critical vulnerability tracked as CVE-2022-40684 (CVSSv3 9.6) affects the management interfaces, allowing a remote attacker to log onto unpatched systems.
Subsequently, unauthenticated attackers can perform actions on the administrative interface by crafting special HTTP or HTTPS requests.
Fortinet disclosed the security flaw to specific customers on October 7, 2022, in a secret memo that leaked online and was reported by The Hacker News, followed by public disclosure on October 10, 2022.
“Last week, news began to circulate in ever larger circles that Fortinet was privately alerting customers to a critical vulnerability impacting its core operating system and some of its products, potentially to give customers a headstart in patching before going public with more information that could be used by malicious actors,” said Claire Tills, senior research engineer at Tenable.
Fortinet critical vulnerability exploited in the wild
Fortinet disclosed that attackers had exploited the authentication bypass security flaw in the wild. “Fortinet is aware of an instance where this vulnerability was exploited and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=’Local_Process_Access,'” the company explained.
Fortigate also discovered other instances where attackers exploited the critical vulnerability to download config files and create a rogue admin account, “fortigate-tech-support.”
Horizon.ai advised users to assume possible authentication bypass if the interface used is Node.js or Report Runner. Although the log description might show “Request failed,” Horizon.ai warned that threat actors might still have succeeded in compromising FortiGate firewalls and FortiProxy web proxy devices.
Fortinet also confirmed another critical vulnerability CVE-2022-33873 (CVSSv3 9.6), that allows unauthenticated attackers to execute commands in the underlying shell.
However, the Sunnyvale, California-based cyber security solutions provider has not confirmed the exploitation status of CVE-2022-33873.
Mitigating FortiOS, FortiProxy, and FortiSwitchManager authentication bypass vulnerability
Fortinet advised network defenders to disable HTTP/HTTPS in the FortiOS, FortiProxy, and FortiSwitchManager administrative interfaces to prevent exploitation of the authentication bypass flaw. Additionally, they should limit IP addresses that can access Fortios and Fortiproxy administrative interfaces for internet-facing devices.
Customers should also upgrade to FortiOS versions 7.0.7 or 7.2.2 and above, FortiProxy versions 7.0.7 or 7.2.1 and above, and FortiSwitchManager version 7.2.1 and above. FG6000F and 7000E/F users should update to FortiOS version 7.0.5 B8001 or above.
Fortinet requests immediate remediation of the authentication bypass fault to prevent potential remote exploitation.
“Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade,” advised Fortinet.
Threat intelligence firm Cyberthint says that a deep web scan discovered more than 150,000 potentially vulnerable instances exposed online.
SANS Institute also detected increased scanning of an older path traversal critical vulnerability CVE-2018-13379 (CVSSv3 9.8), possibly to identify vulnerable systems. Threat actors could potentially leverage CVE-2018-13379 to move laterally after exploiting the authentication bypass fault.
While Fortinet releases security fixes for discovered vulnerabilities every second Tuesday of the month, coinciding with Microsoft’s Patch Tuesday, many would expect an earlier release considering the gravity and known exploitation of the authentication bypass critical vulnerability.
