Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684)

After privately warning customers last week that they need to patch or mitigate CVE-2022-40684, a critical vulnerability affecting FortiOS, FortiProxy, and FortiSwitchManager, Fortinet has finally confirmed that it “is aware of an instance where this vulnerability was exploited.”

CVE-2022-40684

But their advice to organizations to immediately check their systems for a specific indicator of compromise makes it sound like they believe more widespread attacks have happened or are happening.

About CVE-2022-40684

CVE-2022-40684 is an authentication bypass vulnerability on vulnerable devices’ administrative interface that can be triggered by sending a specially crafted HTTP(S) requests.

It affects:

  • FortiOS versions: 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
  • FortiProxy versions: 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
  • FortiSwitchManager versions: 7.2.0, 7.0.0

Successful exploitation may allow attackers with access to the management interface to perform administrator operations and to, essentially, take control of the device.

The patch has already been reverse-engineered by security researchers:

It seems likely that other attackers will soon get their hands on an exploit or create one themselves and start targeting exposed and vulnerable FortiGate firewalls and FortiProxy secure web gateways around the world. (FortiOS vulnerabilities are often exploited by attackers).

What should you do?

You should upgrade your Fortinet appliances to a firmware version with the fix:

  • FortiOS version 7.2.2 or above, or version 7.0.7 or above
  • FortiProxy version 7.2.1 or above, or 7.0.7 or above
  • FortiSwitchManager version 7.2.1 or above

If that’s not possible, depending on the device, you should disable the HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface.

Finally, you should look for the following string in the device’s logs: user=”Local_Process_Access”. If you find it, your device has been compromised, and you should investigate the extent of the breach.

UPDATE (October 13, 2022, 05:35 a.m. ET):

Horizon3.ai researchers have shared more IoCs defenders can search for, as well as additional mitigation advice.

GreyNoise has created a tag page for the exploit registered by Fortinet, which is currently being lauched from one IP address.

UPDATE (October 14, 2022, 10:15 a.m. ET):

Horizon3.ai researchers have released a PoC exploit for CVE-2022-40684 and exploitation attempts are mounting.

Don't miss