Pricing
Contact
Login
Start Free Trial
Back

Fortinet Authentication Bypass Vulnerability - CVE-2022-40684

Nov 25, 2022

Introduction:

The latest FortiOS / FortiProxy / FortiSwitchManager vulnerability has been reportedly exploited in the wild, which allows an attacker to bypass authentication and login as an administrator on the affected system.

  • Vulnerability Release Time : Oct Nov, 2022

  • Vulnerability Component Name : FortiOS - FortiProxy - FortiSwitchManager

  • Affected Products :

    • Affected FortiOS

      • 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0, 7.2.1

    • Affected FortiProxy

      • 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.2.0

    • FortiSwitchManager

      • 7.0.0, 7.2.0

    • FortiOS versions 5.x, 6.x are NOT impacted

    • FortiProxy version 7.2.0

Solutions :

  • Please upgrade to FortiOS version 7.2.2 or above

  • Please upgrade to FortiOS version 7.0.7 or above

  • Please upgrade to FortiProxy version 7.2.1 or above

  • Please upgrade to FortiProxy version 7.0.7 or above

  • Please upgrade to FortiSwitchManager version 7.2.1 or above

  • Please upgrade to FortiSwitchManager version 7.0.1 or above

  • Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms

Execution Summary:

The CVE-2022-40684 vulnerability allows adversaries to bypass authentication and login into the vulnerable systems as an administrator in FortiOS / FortiProxy / FortiSwitchManager products.

Having admin user rights, adversaries can,

  • add new users to the vulnerable system

  • reroute the network traffic by updating network configurations

  • listen to and capture sensitive data by running packet capturing programs

CVSS v3:

  • Base Score: 9.8 (Critical)

  • Attack Vector:              Network

  • Attack Complexity:          Low

  • Privileges Required:        None

  • User Interaction:           None

  • Confidentiality Impact:     High

  • Integrity Impact:           High

  • Availability Impact:        High

Mitigation:

As mitigation measures and security workarounds for remediating the threat, Fortinet advisory recommends disabling the HTTP/HTTPS admin interface or limiting the IP address that can access the latter. Customers are also highly recommended to upgrade their potentially vulnerable software to the latest versions.

Furthermore,

In their PSIRT Advisories blog, the FortiGuard Labs have given some mitigation suggestions and recommended performing the following upgrades according to the vulnerable products.

For FortiOS:

  • Upgrade to version 7.2.2 or above

  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

Suggestion 1: Disable HTTP/HTTPS administrative interface

Suggestion 2: Limit IP addresses that can reach the administrative interface
  • config firewall address

  • edit "my_allowed_addresses"

  • set subnet <MY IP> <MY SUBNET>

  • end

Then crate an Address Group
  • config firewall addrgrp

  • edit "MGMT_IPs"

  • set member "my_allowed_addresses"

  • end

Create the Local in Policy to restrict access only to the predefined group on management interface.
  • config firewall local-in-policy

  • edit 1

  • set intf port1

  • set srcaddr "MGMT_IPs"

  • set dstaddr "all"

  • set action accept

  • set service HTTPS HTTP

  • set schedule "always"

  • set status enable

  • next

  • edit 2

  • set intf "any"

  • set srcaddr "all"

  • set dstaddr "all"

  • set action deny

  • set service HTTPS HTTP

  • set schedule "always"

  • set status enable

  • end

If you are using non default ports, create appropriate service object for GUI administrative access:
  • config firewall service custom

  • edit GUI_HTTPS

  • set tcp-portrange <admin-sport>

  • next

  • edit GUI_HTTP

  • set tcp-portrange <admin-port>

  • end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 above.

For FortiProxy:

  • Upgrade to version 7.2.1 or above

  • Upgrade to version 7.0.7 or above

If applying patch is not possible for some other reasons, apply the following mitigation suggestions.

Suggestion 1: Disable HTTP/HTTPS administrative interface
Suggestion 2: For FortiProxy VM all versions or FortiProxy appliance 7.0.6:

Limit IP addresses that can reach the administrative interface:
  • config system interface

  • edit port1

  • set dedicated-to management

  • set trust-ip-1 <MY IP> <MY SUBNET>

  • end

For FortiSwitchManager:

Upgrade to version 7.2.1 or above: Disable HTTP/HTTPS administrative interface

Technical Analysis / Exploits:

We found an open admin panel link and we tried to use default credentials but they failed.

  1. Now that our default bruteforce attack didn’t work, let’s try to use a new exploitation technique. Use below link to open exploit python script.

    https://github.com/horizon3ai/CVE-2022-40684

Open the python script file and copy complete code. Create a new file in your local directory and paste that copied python code in the new file.

      In our case we created a file with the name pocforti.py and pasted the code in it

Now let’s run this python script and let it do the magic trick. Use below command with fortinet admin server ip, port number, and your public key path.

python3 pocforti.py -t <fortinet admin server ip>:<port number> --username admin --key-file <your public key path>

Now after executing the python script, let’s try to SSH the fortinet hosted server. Use bellow command to successfully SSH in fortinet server.

ssh admin@<fortinet server ip>

After successfully get fortinet server access, let’s create a new user in fortinet database

Now after adding a new user with admin rights, let’s try this user.

After entering the new credentials of the created user, we successfully login to the fortinet admin panel as an admin user

Open the admin users to verify if your user is successfully added as admin user or not

As you can see, our created user is successfully added in fortinet users as an admin user.

Reference:

  • https://www.fortiguard.com/psirt/FG-IR-22-377

  • https://github.com/carlosevieira/CVE-2022-40684

  • https://github.com/Chocapikk/CVE-2022-40684

  • https://nvd.nist.gov/vuln/detail/CVE-2022-40684

#fortinet #FortiProxy #ForitnetAdminAccess #CVE-2022-40684

Tags

  • #vicarius_blog

  • #fortinet

  • #CVE-2022-40684

  • #FortiProxy

  • #ForitnetAdminAccess

users/photos/cl9u4ikuuft0d0llg3b78egln.png

Written by

Khurram Arif

Recent Posts

  • 1

    CVE-2023–23752: Joomla Unauthorized Access Vulnerability

    Mohammad Hussam Alzeyyat March 24, 2023
  • 2

    Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)

    Mudassar Zafar March 22, 2023
  • 3

    CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability

    j00sean (https://twitter.com/j00sean) March 01, 2023
  • 4

    KeePass Passwords Theft CVE-2023-240550

    Youssef Muhammad March 01, 2023
  • 5

    CVE-2022–44267: Denial Of Service in ImageMagick

    Mohammad Hussam Alzeyyat February 28, 2023

Related Posts

By Mohammad Hussam Alzeyyat
Mar 24, 2023

CVE-2023–23752: Joomla Unauthorized Access Vulnerability

In this blog, we are going to analyze the information disclosure in Joomla that allows an attacker to exploit it to gain unauthorized access. we will dive deep inside the flow of Joomla, how it works, and how the vulnerability happened.
By Mudassar Zafar
Mar 22, 2023

Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)

The Apache Spark command injection vulnerability (CVE-2022-33891) was discovered by the Sangfor FarSight Labs team and reported to the Apache Spark project team on July 18, 2022. The vulnerability was classified as high severity, with a CVSS (Common Vulnerability Scaling System) Base Score of 8.8, indicating a high potential impact.
By j00sean (https://twitter.com/j00sean)
Mar 01, 2023

CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability

My thoughts and more on this bug!
last_chanse_04.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Get a Demo
Start Free Trial!

Have questions?

By submitting this form, you agree to be contacted about TOPIA and other Vicarius products.

Vicarius develops an autonomous vulnerability remediation platform to help security teams protect their assets against software exploitation. Consolidating vulnerability assessment, prioritization, and remediation, Vicarius strengthens cyber hygiene and proactively reduces risk.
We're hiring!

Support

support@vicarius.io

Sales

sales@vicarius.io

Marketing

info@vicarius.io
Product
Product Overview
Vulnerability Management
Patch Management
Patchless Protection
Auto Actions
Network Scanner
xTags
0-Day Detection
Solution
Solution Overview
Case Studies
Knowledge
Research Center
Apps & OS Patch Catalog
Videos
Articles
Docs
Company
About
Investors
Partners
Trust
Careers
Pricing
Pricing
Compare
TOPIA vs. Automox
TOPIA vs. ManageEngine
TOPIA vs. Rapid7
TOPIA vs. Tenable
TOPIA vs. Tanium
TOPIA vs. RMMs
TOPIA vs. Vulcan
TOPIA vs. PDQ
TOPIA vs. Qualys

Copyright © Vicarius. All rights reserved 2022. Privacy Policy and Terms of Use