CVE-2022-40684: Fortinet Authentication Bypass Vulnerability Explained

.A newly disclosed flaw in FortiOS, FortiProxy, and FortiSwitchManager has reportedly been exploited in the wild. It enables an attacker to bypass authentication and sign in as an administrator on affected systems.

Picus Labs has updated the Picus Threat Library with attacks that exploit the CVE-2022-40684 vulnerability affecting FortiOS, FortiProxy, and FortiSwitchManager products. We also updated the Picus Mitigation Library with prevention signatures of network security controls. 

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Which FortiOS, FortiProxy and FortiSwitchManager Products are Affected by the Vulnerability?

FortiLab Guard Labs has confirmed that the vulnerability affects the following Fortinet FortiOS, FortiProxy, and FortiSwitchManager products. 

• Affected FortiOS Products
  
• 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0, 7.2.1
  
  
• Affected FortiProxy Products
  
• 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0

• FortiSwitchManager Products
  
• 7.0.0, 7.2.0
  

What is the Impact of CVE-2022-40684 Vulnerability?

The CVE-2022-40684 vulnerability allows adversaries to bypass authentication and login into the vulnerable systems as an administrator in FortiOS / FortiProxy / FortiSwitchManager products.

Having admin user rights, adversaries can 

• add new users to the vulnerable system, 
• reroute the network traffic by updating network configurations, 
• listen to and capture sensitive data by running packet capturing programs,
• download system configurations [1].

The CVSSv3 score of the vulnerability is 9.6 Critical.

CVE-2022-40684 Vulnerability Exploitation Explained

Below, you can see an example Proof of Concept (PoC) that abuses the authentication bypass vulnerability to set an SSH key for the specified user [3].

The Proof of Concept (PoC)

1. Adversaries can exploit this vulnerability with any HTTP method such as GET, POST, PUT, DELETE, etc. In the following example, the attacker sends an HTTP PUT request to the API. 

2. Through the “Forwarded header”, the attacker is able to set the client_ip to  “127.0.0.1”. This allows the attacker to perform an authentication bypass as the “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and User-Agent is “Report Runner”, which are directly controlled by the attacker.

3. Being allowed to send a PUT request to the API, the attacker can modify the admin users’ SSH keys to enable themselves to login to the target system. 

Example

How to Mitigate CVE-2022-40684 Vulnerability?

In their PSIRT Advisories blog, the FortiGuard Labs have given some mitigation suggestions and recommended performing the following upgrades according to the vulnerable products [2].

For FortiOS:

• Upgrade to version 7.2.2 or above
• Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

• Suggestion 1: Disable HTTP/HTTPS administrative interface
• Suggestion 2: Limit IP addresses that can reach the administrative interface

• Then create an Address Group:

• Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

• If you are using non default ports, create appropriate service object for GUI administrative access:

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 above.

For FortiProxy:

• Upgrade to version 7.2.1 or above
• Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

• Suggestion 1: Disable HTTP/HTTPS administrative interface
• Suggestion 2: For FortiProxy VM all versions or FortiProxy appliance 7.0.6:
• Limit IP addresses that can reach the administrative interface (here: port1):

For FortiSwitchManager:

• Upgrade to version 7.2.1 or above: Disable HTTP/HTTPS administrative interface

How does Picus Simulate FortiOS / FortiProxy / FortiSwitchManager the CVE-2022-40684 Authentication Bypass on Administrative Interface Vulnerability Exploit?

We also strongly suggest simulating FortiOS / FortiProxy / FortiSwitchManager   CVE-2022-40684 authentication bypass on administrative interface vulnerability exploitation attack to assess the effectiveness of your security controls using the Picus Complete Security Control Validation Platform. You can test your defenses against the CVE-2022-40684  vulnerability exploitation attacks and assess your security posture against the exploitation of hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threat for CVE-2022-40684 vulnerability: 

References

[1] J. Horseman, “FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass IOCs (CVE-2022-40684),” Horizon3.ai, Oct. 11, 2022. [Online]. Available: https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/. [Accessed: Oct. 18, 2022]

[2] “PSIRT Advisories,” FortiGuard. [Online]. Available: https://fortiguard.com/psirt/FG-IR-22-377. [Accessed: Oct. 18, 2022]

[3] “GitHub - horizon3ai/CVE-2022-40684: A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager,” GitHub. [Online]. Available: https://github.com/horizon3ai/CVE-2022-40684. [Accessed: Oct. 18, 2022]