After privately warning customers last week that they need to patch or mitigate CVE-2022-40684, a critical vulnerability affecting FortiOS, FortiProxy, and FortiSwitchManager, Fortinet has finally confirmed that it “is aware of an instance where this vulnerability was exploited.”
But their advice to organizations to immediately check their systems for a specific indicator of compromise makes it sound like they believe more widespread attacks have happened or are happening.
CVE-2022-40684 is an authentication bypass vulnerability on vulnerable devices’ administrative interface that can be triggered by sending a specially crafted HTTP(S) requests.
- FortiOS versions: 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiProxy versions: 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
- FortiSwitchManager versions: 7.2.0, 7.0.0
Successful exploitation may allow attackers with access to the management interface to perform administrator operations and to, essentially, take control of the device.
The patch has already been reverse-engineered by security researchers:
I can confirm, CVE-2022-40684 is really simple to exploit and easy to weaponize.
is not only a "Auth bypass to some functions", this vulnerability causes a full device takeover!
— Carlos Vieira (lynx) (@carlos_crowsec) October 10, 2022
Hey @todb, we did not discover the original issue – we only reversed the patch. We'll credit the original researcher in our blog post when / if that information is made public.
— Zach Hanley (@hacks_zach) October 10, 2022
It seems likely that other attackers will soon get their hands on an exploit or create one themselves and start targeting exposed and vulnerable FortiGate firewalls and FortiProxy secure web gateways around the world. (FortiOS vulnerabilities are often exploited by attackers).
What should you do?
You should upgrade your Fortinet appliances to a firmware version with the fix:
- FortiOS version 7.2.2 or above, or version 7.0.7 or above
- FortiProxy version 7.2.1 or above, or 7.0.7 or above
- FortiSwitchManager version 7.2.1 or above
If that’s not possible, depending on the device, you should disable the HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface.
Finally, you should look for the following string in the device’s logs: user=”Local_Process_Access”. If you find it, your device has been compromised, and you should investigate the extent of the breach.
UPDATE (October 13, 2022, 05:35 a.m. ET):
Horizon3.ai researchers have shared more IoCs defenders can search for, as well as additional mitigation advice.
GreyNoise has created a tag page for the exploit registered by Fortinet, which is currently being lauched from one IP address.
UPDATE (October 14, 2022, 10:15 a.m. ET):
Horizon3.ai researchers have released a PoC exploit for CVE-2022-40684 and exploitation attempts are mounting.