Customers are being urged by Fortinet to repair a serious authentication bypass flaw that has already been used in the wild. Fortinet products contain a serious authentication issue.
The networking company corrected the CVE-2022-40684 vulnerability earlier this month in its FortiOS network operating system. FortiProxy secure web proxy, and FortiSwitchManager management platform projects. Fortinet products contain a serious authentication issue.
The vulnerability enables potential criminals to access the administrative interface via specially crafted HTTP or HTTPS queries. Allowing an unauthenticated attacker to add an SSH key to the admin user.
FortiProxy versions 7.0.0 through 7.0.6 and 7.2.0, FortiOS versions 7.0.0 and 7.2.0, and FortiSwitchManager versions 7.0.0 and 7.2.0 are all impacted by the problem.
Also read, Fortinet claims that attacks take use of a serious auth bypass issue.
In an email sent earlier this month, customers were informed that certain devices were vulnerable and urged to update to FortiOS 7.0.7 or 7.2.2 and higher. FortiProxy 7.0.7 or 7.2.1 and higher, and FortiSwitchManager 7.2.1 or higher. Those who are unable to instantly stop internet-facing HTTPS Administration interfaces advised Fortinet.
Horizon3.ai produced proof-of-concept code to exploit the vulnerability after the patch was made available.
“An attacker can practically do anything they want to the susceptible system by taking advantage of this vulnerability. This includes beginning packet captures, creating new users, and altering network configurations, it said.
It should be noted that there may be more scenarios that can be used to attack this vulnerability. For instance, this exploit’s modified version takes advantage of the User-Agent “Node.js.”
Axis of exploit
The vulnerability is being searched for and attempted to be exploited in the wild, according to cybersecurity firm Cyfirma.
According to the statement, “Our intelligence research community detected Iranian and Chinese threat actors taking use of Fortinet products’ vulnerabilities.” “The suspected threat actors in the continuing campaign are US17IRGCorp alias APT34, HAFNIUM, and its affiliates.”
Also read, FortiGate and FortiProxy Have a New Auth Bypass Flaw, According to Fortinet
In a campaign to help Russia’s offensive in Ukraine, Cyfirma claimed that Iranian cybercriminals appeared to be working together with Chinese organizations and Russian cybercriminals.
Using vulnerabilities in enterprise networks that rely on Fortinet’s technologies, manipulator-in-the-middle (MITM) attacks, and potential ransomware attacks. And the lateral movement to hack deeper into the network of compromised organizations has been the main topic of discussion on dark web forums, according to Cyfirms.
Patching advice reiterated
Fortinet released another caution in reaction to the discovery of assaults in the wild, which heightened the urgency of the problem.
Fortinet reiterated its recommendation for users to update, saying it was aware of cases where this vulnerability was used to add a fraudulent super admin account called “fortigate-tech-support” and retrieve the configuration file from the affected devices.
Four days later, many vulnerable firms still had not patched their systems, prompting Fortinet to issue yet another warning.
“After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation. And following the publication by an outside party of PoC code, there is active exploitation of this vulnerability,” it said.
In a statement, the company adds: “As part of our commitment to the security of our customers, we continue to proactively reach out to strongly urge them to immediately follow the guidance provided in our October 10 PSIRT Advisory (FG-IR-22-377), as we continue monitoring the situation.”
