CVE-2022-40684: Critical Remote Authentication Bypass Vulnerability in FortiOS & FortiProxy

Share :

Late Thursday, 6 October 2022, Fortinet disclosed a critical remote authentication bypass vulnerability CVE-2022-40684— impacting FortiOS and FortiProxy. The vulnerability could allow a remote unauthenticated threat actor to obtain access to the administrative interface and perform operations via specially crafted HTTP or HTTPS requests. 

Product  Impacted Versions  Fixed Versions 
FortiOS  7.0.0 to 7.0.6 

7.2.0 to 7.2.1 

7.0.7 

7.2.2 

FortiProxy  7.0.0 to 7.0.6 

7.2.0 

7.0.7 

7.2.2 

 

According to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have historically exploited similar Fortinet vulnerabilities to obtain initial access and move laterally within a victim’s environment. Arctic Wolf assesses threat actors will likely develop a PoC exploit and exploit this vulnerability in the near term based on historical precedence and the privileges obtained via this vulnerability. 

Recommendations for CVE-2022-40684

Recommendation #1: Upgrade FortiOS and FortiProxy 

Arctic Wolf strongly recommends upgrading FortiOS and FortiProxy to fully remediate CVE-2022-40684.  

Product  Fixed Versions 
FortiOS  7.0.7 

7.2.2 

FortiProxy  7.0.7 

7.2.2 

 

Note: Arctic Wolf recommends following change management best practices for applying upgrades, including testing changes in a dev environment before deploying to production to avoid any operational impact. 

Recommendation #2: Do Not Expose Admin Interfaces Externally 

Following best practices, the administrative interface should not be exposed externally. Limit IP addresses that can reach the administrative interface using a local-in-policy and implement multi-factor authentication (MFA) to make successful exploitation significantly more difficult. 

For more information on this refer to Customer Support Bulletin CSB-221006-1 and the Fortinet user authentication best practices document here: https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/127480/user-authentication-for-management-network-access  

Reference 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories