Kratikal Blogs

Profile

One stop platform of the latest cyber security news, reports, trends, stats and much more!

Menu

Note this! A brand-new, significant vulnerability is coming. Fortinet recently discovered an authentication bypass flaw in its FortiOS, FortiProxy, and FortiSwitch Manager appliances. Customers of Fortinet who use vulnerable product instances are at great risk because the security flaw, designated as CVE-2022-40684, is currently being actively used in the wild.

Introduction

The Fortinet CVE-2022-40684 vulnerability is being actively exploited and is defined as the exploit that can log in as an administrator on the vulnerable system because it is an authentication bypass vulnerability. The FortiOS, Forti Proxy, and Forti switch Manager appliances from Fortinet were found to be vulnerable. This vulnerability’s CVE number is 2022-40684 and its CVSS evaluation gave it a 9.6 rating. Customers of Fortinet have been privately informed of a security weakness affecting FortiGate firewalls and Forti Proxy web proxies that may allow an attacker to carry out unauthorized actions on vulnerable systems.

Few Versions are Vulnerable

It’s important to remember that this vulnerability can still be exploited even if the firewall administrator hasn’t generated the API token. The second aspect of this vulnerability is that, even if the exploit is successful, the attacker’s IP will not be made public. 

Versions of FortiGate that are affected by the authentication bypass flaw include:

  1. FortiOS : Impacted version : 7.0.0 to 7.0.6, 7.2.0 to 7.2.1
  2. FortiProxy: Impacted version: 7.0.0 to 7.0.6, 7.2.0
  3. Forti Switch Manager : Impacted version: 7.0.0, 7.2.0

Security Concerns about the vulnerability

  1. The exploit for this vulnerability is already in use, and it is also freely available on GitHub and other hacking sites.
  2. This vulnerability is not particularly difficult. Attacking requires little effort from the threat actor. This vulnerability should be quickly patched because it is extremely risky for a number of reasons.

Online vulnerable devices

Using search engines like Shodan, Zoomeye, or Netlas, it is possible to locate numerous Fortinet devices that are internet-connected but susceptible.

Fortinet devices that are susceptible to CVE-2022-40684 have been identified by researchers in the publication Dork.

The Search Engine Dork

On Zoomeye : title: “FortiGate” 

On Shodan : product: “Fortinet FortiGate” 

The search phrase a threat actor needs to enter in order to access someone’s susceptible Fortinet device is seen above. You can see how many devices we find when we search on Shodan, for instance, in the screenshot below.

Additionally, you can see how a Forti Gate device may be found and accessed from a distance.

How does the exploit work?

A controlling mechanism in a software function makes this vulnerability conceivable. simply by changing the “User-Agent” and adding the “Forwarded” http header. Because the request is issued by the device, it is possible to mislead the control mechanism, allowing the attacker to get around permission and take control of a Fortinet susceptible device.

Additionally, the attacker has the ability to add an SSH key to the admin account and create a new local user account in order to establish persistence. By setting up device policies, the attacker can also remotely access the inside system.

How to mitigate?

Here are some recommendations that can be made to lessen risk if you believe your Fortinet device or business is compromised.

  1. To aid you in future investigations, make sure you save the logs.
  2. Take the susceptible system offline if you are certain that you have been compromised.
  3. Upgrade your software to the latest version.
  4. On the compromised device, change all of your passwords.
  5. If you are unsure of the authenticity of the SSH key configured for the admin.
  6. Enable Multi Factor Authentication for your remote access solution.

Conclusion 

There are a lot of exposed susceptible systems on the internet, and most of the time, threat actors scan them and hack them. Their login information, policies, account information, network access, and admin access are now in the attacker’s hands as a result of this. The only option you have to tackle this circumstance if you don’t have enough logs is to assume breach.

We at Kratikal, a CERT-In Empanelled company, can help you choose the best practices to meet your application security requirements. We can check for switch vulnerabilities, and firewall setup errors and harden your system to adhere to the best security procedures.

What are your thoughts on the matter? Share your thoughts about Fortinet Vulnerability in the comment section below!

About The Author

Deepti Sachdeva

See author's posts

By Deepti Sachdeva

Leave a comment

Your email address will not be published. Required fields are marked *