A critical auth bypass security flaw was patched last week. But it is still being used in the field, according to Fortinet’s confirmation today.
The security weakness (CVE-2022-40684) allows remote threat actors to access FortiGate firewalls and FortiProxy web proxies. And FortiSwitch Manager (FSWM) on-premise management instances through an auth bypass on the administrative interface.
Using carefully crafted HTTP or HTTPS queries, an unauthenticated attacker may be able to perform actions on the administrative interface. It is thanks to a vulnerability in FortiOS, FortiProxy, and FortiSwitchManager, according to a Fortinet alert released today.
On Thursday, the business issued security upgrades to fix this weakness. Additionally, it warned some of its clients through email to turn off remote management user interfaces on impacted equipment. “With the utmost haste” in what it refers to as “advanced communication.”
When BleepingComputer contacted Fortinet on Friday, a spokesman declined to comment when questioned about if the vulnerability is being utilized in the wild and said additional information would be released soon.
Fortinet now acknowledged that it knows of at least one assault where CVE-2022-40684 was exploited today. After days of issuing the secret advice.
Recommendations
“Fortinet is aware of a situation in which this vulnerability was exploited. And it advises checking your systems promptly for the following indicator of compromise in the logs of the device: user=”Local Process Access,” according to the business.
If the CVE-2022-40 weakness is not fixed, the full list of Fortinet products that are vulnerable to attacks attempting to exploit it is as follows:
- FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiSwitchManager : 7.2.0, 7.0.0
In order to protect their devices from attacks, Fortinet recommended customers to update their vulnerable devices to FortiOS 7.0.7 or 7.2.2 and above, FortiProxy 7.0.7 or 7.2.1 and above, and FortiSwitchManager 7.2.1 or above.
PoC exploit ready to be released
Proof-of-concept (PoC) exploit code has been created by security researchers with the Horizon3 Attack Team. And its publication has been announced for later this week.
More than 140,000 FortiGate firewalls may be accessible through the Internet, according to a Shodan search. And if their admin management interfaces are also open, they are probably vulnerable to attacks.
Workaround also available
Additionally, Fortinet offered details on how clients can prevent incoming assaults even if they are unable to quickly apply security patches.
Administrators should disable HTTP/HTTPS administrative interface or restrict the IP addresses that can access the administrative interface using a Local Policy to prevent remote attackers from bypassing authentication and logging into susceptible devices.
This Fortinet PSIRT advice from Monday, October 10 provides comprehensive instructions on how to disable the weak admin interface for FortiOS, FortiProxy, and FortiSwitchManager or restrict access per IP address.
According to notices Fortinet gave to some of its customers last week. “If these devices cannot be updated in a timely way, internet-facing HTTPS Administration should be immediately deactivated until the upgrade can be executed.”