CVE-2022-40684: Widespread Exploitation of Critical Fortinet Authentication Bypass Vulnerability

Share :

Previously published blog post:

Recently, Arctic Wolf observed threat actors begin exploiting CVE-2022-40684, a critical remote authentication bypass vulnerability impacting FortiOS, FortiProxy, and FortiSwitchManager. Based on our telemetry and on-going investigations, the threat actors have leveraged the vulnerability to further their objectives by:

  • Accessing and downloading the appliance’s configuration file
    • Arctic Wolf has observed threat actors leverage Node.js and Report Runner accounts to download the file.
    • This includes and is not exclusive to cleartext rules, policies, filtering, usernames, routing configurations, as well as encrypted passwords encrypted via the private-encryption-key.
  • Creating privileged administrator accounts
  • Uploading and running scripts

Fortinet is aware of a singular instance where this vulnerability was successfully exploited; based on our telemetry and threat intelligence, however, we assess this vulnerability is being actively exploited in widespread campaigns.

Product Impacted Versions Fixed Versions
FortiOS 7.0.0 to 7.0.6

7.2.0 to 7.2.1

7.0.7

7.2.2

FortiProxy 7.0.0 to 7.0.6

7.2.0

7.0.7

7.2.2

FortiSwitchManager 7.0.0

7.2.0

7.2.1

Note: FortiSwitchManager was not included as an affected product in the initial Fortinet advisory published on October 6, 2022.

According to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have historically exploited similar Fortinet vulnerabilities to obtain initial access and move laterally within a victim’s environment. We assess those threat actors will continue to exploit this vulnerability in the near term to obtain initial access and access sensitive information, such as the appliance’s configuration file, due to the ease of exploitation, the potential for payload delivery, and the prevalence of affected Fortinet devices within enterprise environments.

Recommendations

Recommendation #1: Upgrade FortiOS, FortiProxy, and FortiSwitchManager

We strongly recommend upgrading FortiOS, FortiProxy, and FortiSwitchManager to fully remediate CVE-2022-40684.

Product Fixed Versions
FortiOS 7.0.7

7.2.2

FortiProxy 7.0.7

7.2.2

FortiSwitchManager 7.2.1

Note: Arctic Wolf recommends following change management best practices for applying upgrades, including testing changes in a dev environment before deploying to production to avoid any operational impact.

Recommendation #2: Do Not Expose Admin Interfaces Externally

Following best practices, the administrative interface should not be exposed externally. We strongly recommend limiting IP addresses that can reach the administrative interface, this can be done in multiple ways, including:

  • Using a local-in policy, refer to PSIRT Advisory FG-IR-22-377.
  • Disable HTTP/HTTPS administrative access on all interfaces exposed externally.
  • Restrict access to only trusted hosts, refer to Fortinet’s System Administrator Best Practices document.

Recommendation #3: Implement Multi-Factor Authentication

Implement multi-factor authentication (MFA) to reduce the impact of successful exploitation of a Fortinet appliance.

Additional information on best practices can be found in Fortinet’s User Authentication for Management Network Access document and their Multi-Factor Authentication Document Library.

If there is any indication that your Fortinet appliance has been compromised, we strongly recommend following these additional steps to secure your appliance.

Recommendation #4: Perform a Clean Installation on All Compromised Devices

Upgrade the appliance to the latest firmware version and restore the configuration from a known good backup; if a known good backup is not available create a clean configuration.

  • Do not use the existing configuration: Restoring from an existing configuration may allow threat actors to maintain persistence on the device, as we have observed privileged administrator accounts being created shortly after exploitation. Furthermore, CVE-2022-40684 allows the threat actor to access and download the configuration file used on the device.

Recommendation #5: Roll Access Credentials for All Successfully Exploited Appliances

We strongly recommend rolling all access credentials on successfully exploited appliances. This includes:

  • Any user or admin accounts that exist within the Fortinet appliance’s local user database.
  • VPN users if their credentials are stored locally on the appliance.
  • LDAP user credentials used for LDAP authentication with Active Directory.
  • RADIUS secrets and IPSEC Pre-Shared Keys.

By accessing and downloading the configuration file, threat actors will have access to cleartext usernames and encrypted passwords. It is possible that threat actors can crack these encrypted passwords using a variety of tools. This would put these credentials at risk for re-use in follow-up intrusions.

Recommendation #6: Disable Any Unrecognized Administrator Accounts on Fortinet Appliances

We recommend performing an audit of all administrator accounts on Fortinet appliances for any accounts that have been recently created or have an unrecognized username.

Arctic Wolf has observed threat actors attempting to create a new user account called super_admin when modifying the firewall configuration. If you believe that you have been compromised, please review your firewall configuration for any unauthorized accounts added recently.

Any unauthorized administrator accounts detected on the appliances should be disabled immediately.

Recommendation #7: Revoke Local Certificates and Issue New Certificates

Due to the configuration file being exposed, threat actors could leverage the Local certificates to conduct additional malicious activity. Revoke any local certificates exposed in the configuration file and issue new ones to prevent future malicious use.

Recommendation #8: Leverage Non-Default TCP Ports for Administrative Access

If you are unable to disable administrative access on a public interface, consider leveraging non-default TCP ports to increase the difficulty of exploitation and identification via scanning activity.

References

Steven Campbell

Steven Campbell

Steven Campbell is a Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter