A working exploit to bypass the authentication protocols in Fortinet devices is in the wild, which may let breaches reach your devices to do anything they want!
This critical bug is prevailing in FortiProxy, FortiSwitchManager, and virtually in all devices running on FortiOS. Though the maker released a patch to fix it, it’s the end customers who need to apply it to safeguard themselves.
Fortinet Authentication Bypass Bug
Since dealing in network security, Fortinet is often subject to risks of cyberattacks. So it suggests its users patch any known vulnerabilities in its devices to safeguard themselves.
The latest one in such warnings has been about the CVE-2022-40684 – a security flaw in Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager appliances letting attackers bypass the authentication and virtually do anything they want with the compromised system.
Horizon3.ai security researchers have released a proof-of-concept (POC) exploit for this bug after promising to release one later this week. The PoC even includes a technical root cause analysis for this vulnerability, making the understanding easier.
Another appliance vuln down…
CVE-2022-40684, affecting multiple #Fortinet solutions, is an auth bypass that allows remote attackers to interact with all management API endpoints.
Blog post and POC coming later this week. Patch now. pic.twitter.com/YS7svIljAw
— Horizon3 Attack Team (@Horizon3Attack) October 10, 2022
Attackers leveraging this bug can bypass the authentication process on the administrative interface of FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances and do the following;
- Modifying the admin users’ SSH keys to enable the attacker to log in to the compromised system.
- Adding new local users.
- Updating networking configurations to reroute traffic.
- Downloading the system configuration.
- Initiating packet captures to capture other sensitive system information.
Though initially denied to comment, Fortinet eventually revealed that it’s aware of active exploitation of this bug in the wild. To check whether your Fortinet device is impacted or not, check the devices’ logs for user=” Local_Process_Access”, user_interface=” Node.js”, or user_interface=” Report Runner”.
And if you’re not able to apply a patch, Fortinet suggested workarounds of disabling the HTTP/HTTPS administrative interface or limiting the IP addresses through a Local in Policy of your devices.
Fortinet released patches for this bug last Thursday and urged the customers to apply urgently to keep themselves safe. It’s so serious that the CISA has added Fortinet’s bug to its security bugs list and is forcing all the Federal Civilian Executive Branch agencies to patch their devices by November 1st.
