Proof-of-concept exploit code is now available for a critical authentication bypass vulnerability affecting Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager appliances.
This security flaw (CVE-2022-40684) allows attackers to bypass the authentication process on the administrative interface of FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances.
Fortinet released security updates to address this flaw last Thursday. It also urged customers in private alerts to disable remote management user interfaces on affected devices “with the utmost urgency.”
Horizon3.ai security researchers released a proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability today, following an announcement that a CVE-2022-40684 PoC will be made available this week.
The PoC exploit is designed to abuse the authentication bypass flaw to set an SSH key for the user specified when launching the Python script from the command line.
“An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures,” explained Horizon3.ai exploit developer James Horseman.
“This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted.”
Additionally, according to previous Horizon3.ai analysis, attackers may also further compromise systems by:
Modifying the admin users’ SSH keys to enable the attacker to log in to the compromised system.
Adding new local users.
Updating networking configurations to reroute traffic.
Downloading the system configuration.
Initiating packet captures to capture other sensitive system information.
Actively exploited in attacks
While a publicly available PoC exploit would be a strong enough incentive to immediately patch all vulnerable FortiOS, FortiProxy, and FortiSwitchManager appliances, the bug is also being abused in ongoing attacks.
Even though a Fortinet spokesperson refused to comment when asked if the vulnerability is actively exploited in the wild when BleepingComputer reached out on Friday, the company confirmed Monday that it was aware of at least one attack where the vulnerability has been abused.
“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user= “Local_Process_Access,” Fortinet said.
CISA added CVE-2022-40684 on Tuesday to its list of security bugs known to be exploited in the wild, requiring all Federal Civilian Executive Branch agencies to patch their Fortinet devices until November 1st to block ongoing attacks.
Cybersecurity company GreyNoise also shared on Thursday that it has seen attackers attempting to exploit CVE-2022-40684 in the wild.
GreyNoise has observed the first IP exploiting CVE-2022-40684, FortiOS Authentication Bypass Attempt. The IP leveraged the authentication bypass and attempted to export a backup of the FortiOS configuration. https://t.co/AknYbOfLYn pic.twitter.com/zdpKHYB1Kk
— GreyNoise (@GreyNoiseIO) October 13, 2022
“If these devices cannot be updated in a timely manner, internet facing HTTPS Administration should be immediately disabled until the upgrade can be performed,” Fortinet warned customers last week in private notifications.
Admins who cannot immediately apply patches or disable vulnerable appliances to ensure that their servers aren’t compromised can also use mitigation measures shared by Fortinet in this security advisory.
The workarounds require disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can reach the admin interface using a Local in Policy.
Those who want to verify if their devices have already been compromised before applying mitigations or patches can check the devices’ logs for user=” Local_Process_Access”, user_interface=” Node.js”, or user_interface=” Report Runner”.
