24 May 2024

Security advisory: critical Fortinet authentication bypass vulnerability exploited in the wild

A critical impact authentication bypass vulnerability has been exploited in the wild, affecting Fortinet devices that have not been patched since October 3, 2022.

If a vulnerable Fortinet web interface is exposed to the internet, an internet-based threat actor would be able to gain full administrative access to the Fortinet device, allowing remote code execution (RCE) on the device and offering an entry point to the connected internal network.

Details

CVE-2022- 40684 is being used to track the vulnerability. The following Fortinet appliances are vulnerable:

  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0
  • FortiSwitchManager version 7.0.0

This vulnerability is patched in the latest versions of the software, but updating Fortinet firmware requires an active support license. As of the October 14, 2022, Greynoise.io, an internet security data analytics platform, has tracked 44 IP addresses exploiting this vulnerability at scale in the last 3 days (at the time of writing).

Successful exploitation of the vulnerability is trivial, and public exploits have started circulating as of October 14, 2022. Since the publication of the exploit, significant numbers of malicious IP addresses have been observed performing internet-wide scanning and exploitation. It is recommended to patch immediately and to remove the interface from the internet.

Vulnerability and Exploitation Identification

Any unpatched Fortinet appliances with web servers are vulnerable. Internet facing interfaces pose the greatest risk due to the increased attack surface, and exploitation in the wild has been observed.

To identify the exploitation of this vulnerability, search for the following string in the device logs:

    user="Local_Process_Access"

To identify and block inbound traffic exploiting this request, the following User Agent headers on inbound web requests can be used as signatures for this attack:

    User-Agent: Node.js
    User-Agent: Report Runner

Mitigation

To mitigate this vulnerability, the recommendation is to patch with the latest version immediately and remove the interface from the internet to avoid public exploitation. Full mitigation advice is given by Fortinet in their security advisory: https://www.fortiguard.com/psirt/FG-IR-22-377 

References

Related articles