Late Thursday, 6 October 2022, Fortinet disclosed a critical remote authentication bypass vulnerability —CVE-2022-40684— impacting FortiOS and FortiProxy. The vulnerability could allow a remote unauthenticated threat actor to obtain access to the administrative interface and perform operations via specially crafted HTTP or HTTPS requests.
Product | Impacted Versions | Fixed Versions |
FortiOS | 7.0.0 to 7.0.6
7.2.0 to 7.2.1 |
7.0.7
7.2.2 |
FortiProxy | 7.0.0 to 7.0.6
7.2.0 |
7.0.7
7.2.2 |
According to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have historically exploited similar Fortinet vulnerabilities to obtain initial access and move laterally within a victim’s environment. Arctic Wolf assesses threat actors will likely develop a PoC exploit and exploit this vulnerability in the near term based on historical precedence and the privileges obtained via this vulnerability.
Recommendations for CVE-2022-40684
Recommendation #1: Upgrade FortiOS and FortiProxy
Arctic Wolf strongly recommends upgrading FortiOS and FortiProxy to fully remediate CVE-2022-40684.
Product | Fixed Versions |
FortiOS | 7.0.7
7.2.2 |
FortiProxy | 7.0.7
7.2.2 |
Note: Arctic Wolf recommends following change management best practices for applying upgrades, including testing changes in a dev environment before deploying to production to avoid any operational impact.
Recommendation #2: Do Not Expose Admin Interfaces Externally
Following best practices, the administrative interface should not be exposed externally. Limit IP addresses that can reach the administrative interface using a local-in-policy and implement multi-factor authentication (MFA) to make successful exploitation significantly more difficult.
For more information on this refer to Customer Support Bulletin CSB-221006-1 and the Fortinet user authentication best practices document here: https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/127480/user-authentication-for-management-network-access