Previously published blog post:
Recently, Arctic Wolf observed threat actors begin exploiting CVE-2022-40684, a critical remote authentication bypass vulnerability impacting FortiOS, FortiProxy, and FortiSwitchManager. Based on our telemetry and on-going investigations, the threat actors have leveraged the vulnerability to further their objectives by:
- Accessing and downloading the appliance’s configuration file
- Arctic Wolf has observed threat actors leverage Node.js and Report Runner accounts to download the file.
- This includes and is not exclusive to cleartext rules, policies, filtering, usernames, routing configurations, as well as encrypted passwords encrypted via the private-encryption-key.
- Creating privileged administrator accounts
- Uploading and running scripts
Fortinet is aware of a singular instance where this vulnerability was successfully exploited; based on our telemetry and threat intelligence, however, we assess this vulnerability is being actively exploited in widespread campaigns.
|Product||Impacted Versions||Fixed Versions|
|FortiOS||7.0.0 to 7.0.6
7.2.0 to 7.2.1
|FortiProxy||7.0.0 to 7.0.6
Note: FortiSwitchManager was not included as an affected product in the initial Fortinet advisory published on October 6, 2022.
According to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have historically exploited similar Fortinet vulnerabilities to obtain initial access and move laterally within a victim’s environment. We assess those threat actors will continue to exploit this vulnerability in the near term to obtain initial access and access sensitive information, such as the appliance’s configuration file, due to the ease of exploitation, the potential for payload delivery, and the prevalence of affected Fortinet devices within enterprise environments.
Recommendation #1: Upgrade FortiOS, FortiProxy, and FortiSwitchManager
We strongly recommend upgrading FortiOS, FortiProxy, and FortiSwitchManager to fully remediate CVE-2022-40684.
Note: Arctic Wolf recommends following change management best practices for applying upgrades, including testing changes in a dev environment before deploying to production to avoid any operational impact.
Recommendation #2: Do Not Expose Admin Interfaces Externally
Following best practices, the administrative interface should not be exposed externally. We strongly recommend limiting IP addresses that can reach the administrative interface, this can be done in multiple ways, including:
- Using a local-in policy, refer to PSIRT Advisory FG-IR-22-377.
- Disable HTTP/HTTPS administrative access on all interfaces exposed externally.
- Restrict access to only trusted hosts, refer to Fortinet’s System Administrator Best Practices document.
Recommendation #3: Implement Multi-Factor Authentication
Implement multi-factor authentication (MFA) to reduce the impact of successful exploitation of a Fortinet appliance.
If there is any indication that your Fortinet appliance has been compromised, we strongly recommend following these additional steps to secure your appliance.
Recommendation #4: Perform a Clean Installation on All Compromised Devices
Upgrade the appliance to the latest firmware version and restore the configuration from a known good backup; if a known good backup is not available create a clean configuration.
- Do not use the existing configuration: Restoring from an existing configuration may allow threat actors to maintain persistence on the device, as we have observed privileged administrator accounts being created shortly after exploitation. Furthermore, CVE-2022-40684 allows the threat actor to access and download the configuration file used on the device.
Recommendation #5: Roll Access Credentials for All Successfully Exploited Appliances
We strongly recommend rolling all access credentials on successfully exploited appliances. This includes:
- Any user or admin accounts that exist within the Fortinet appliance’s local user database.
- VPN users if their credentials are stored locally on the appliance.
- LDAP user credentials used for LDAP authentication with Active Directory.
- RADIUS secrets and IPSEC Pre-Shared Keys.
By accessing and downloading the configuration file, threat actors will have access to cleartext usernames and encrypted passwords. It is possible that threat actors can crack these encrypted passwords using a variety of tools. This would put these credentials at risk for re-use in follow-up intrusions.
Recommendation #6: Disable Any Unrecognized Administrator Accounts on Fortinet Appliances
We recommend performing an audit of all administrator accounts on Fortinet appliances for any accounts that have been recently created or have an unrecognized username.
Arctic Wolf has observed threat actors attempting to create a new user account called super_admin when modifying the firewall configuration. If you believe that you have been compromised, please review your firewall configuration for any unauthorized accounts added recently.
Any unauthorized administrator accounts detected on the appliances should be disabled immediately.
Recommendation #7: Revoke Local Certificates and Issue New Certificates
Due to the configuration file being exposed, threat actors could leverage the Local certificates to conduct additional malicious activity. Revoke any local certificates exposed in the configuration file and issue new ones to prevent future malicious use.
Recommendation #8: Leverage Non-Default TCP Ports for Administrative Access
If you are unable to disable administrative access on a public interface, consider leveraging non-default TCP ports to increase the difficulty of exploitation and identification via scanning activity.
- FortiOS Release Notes: https://docs.fortinet.com/document/fortigate/7.2.2/fortios-release-notes/289806/resolved-issues
- FortiNet PSIRT Advisory: https://www.fortiguard.com/psirt/FG-IR-22-377