[German]There is an authentication bypass vulnerability CVE-2022-40684 in the FortiGate firewalls, FortiProxy web proxies and FortiSwitch Manager (FSWM) that allows attackers to access the products without authentication. Fortinet had already warned in early October 2022 – but attacks on the systems are probably taking place in the meantime. Administrators should check the affected products for compromise as soon as possible and secure the systems.
Fortinet has published the security warning FG-IR-22-377 (FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface) on October 10, 2022.CVE-2022-40684 allows authentication bypass using an alternate path or channel. Therefore, in FortiOS, FortiProxy, and FortiSwitchManager, an unauthenticated attacker can succeed in performing operations on the administrative interface via specially crafted HTTP or HTTPS requests. Vulnerable to the vulnerability are firmware versions including:
- FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiSwitchManager : 7.2.0, 7.0.0
Fortinet is aware of one case where this vulnerability has been exploited and recommends immediately scanning systems for a compromise in the device's logs using the following indicator:
customer support. Firmware updates are available from the vendor to update FortiOS. Subsequent versions eliminate the vulnerability:
- FortiOS 7.2.2 or higher
- FortiOS 7.0.7 or higher
- FortiProxy 7.2.1 or higher
- FortiProxy 7.0.7 or higher
- FortiSwitchManager 7.2.1 or higher
To secure existing systems against such attacks, the vendor recommends disabling the HTTP/HTTPS management interface. Alternatively, IP addresses with access to the administrative interface should be limited. Details on this can be found in security alert FG-IR-22-377.
Addendum: According to the tweet above, Horizon AI has published a detailled analysis of the vulnerability and a Proof of Concept.
Cookies helps to fund this blog: Cookie settings