Fortinet has recently warned users about a severe zero-day vulnerability affecting numerous products. As revealed, an authentication bypass flaw exists in FortiGate firewalls and FortiProxy web proxies that has been under active exploit before a fix. While the vendors have patched the vulnerability, users must rush to update their systems to avoid mishaps.
Fortinet Zero-Day Authentication Bypass Vulnerability
According to a recent Fortinet advisory, a critical-severity authentication bypass vulnerability riddles FortiOS, FortiProxy, and FortiSwitchManager. Exploiting the flaw requires sending maliciously crafted HTTP or HTTPS requests, which allows the adversary to gain admin privileges.
The vulnerability, CVE-2022-40684, has received a critical-severity rating with a CVSS score of 9.8. The vendors also confirmed to have detected active exploitation of the flaw.
Describing the issue, the advisory reads,
An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
The flaw affects FortiOS versions 7.0.0 to 7.0.6, and 7.2.0 to 7.2.1, FortiProxy version 7.0.0 to 7.0.6 and 7.2.0, and FortiSwitchManager versions 7.0.0 and 7.2.0.
Fortinet fixed the issue and deployed the patches with subsequent software updates upon detecting the flaw. Specifically, the patched versions include,
- FortiOS version 7.0.7 or higher and 7.2.2 or above
- FortiProxy version 7.0.7 or above and 7.2.1 or above
- FortiSwitchManager version 7.2.1 or above
Users should upgrade to these patched versions at the earliest to avoid facing any exploitation attempts.
However, when an immediate update isn’t available, Fortinet has shared different workarounds that users may implement. They urge users to disable the HTTP/HTTPS administrative interface for all three vulnerable products. Or, FortiOS and FortiProxy users may also consider limiting the IP addresses reaching the admin interface. For this, Fortinet has shared the steps in the advisory.
It is unclear how this vulnerability is impacting systems in active exploitation attempts. Fortinet has also not shared precise details about the exploit, given the underlying risks. However, a separate team of researchers has shared a PoC for the flaw, urging users to patch their systems at the earliest.
Another appliance vuln down…
CVE-2022-40684, affecting multiple #Fortinet solutions, is an auth bypass that allows remote attackers to interact with all management API endpoints.
Blog post and POC coming later this week. Patch now. pic.twitter.com/YS7svIljAw
— Horizon3 Attack Team (@Horizon3Attack) October 10, 2022
Let us know your thoughts in the comments.