Fortinet has confirmed today that a critical authentication bypass security vulnerability patched last week is being exploited in the wild.
The security flaw (CVE-2022-40684) is an auth bypass on the administrative interface that enables remote threat actors to log into FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances.
“An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet said in an advisory issued today.
The company released security updates to address this flaw on Thursday. It also alerted some of its customers via email (in what it calls an “advanced communication”) to disable remote management user interfaces on affected devices “with the utmost urgency.”
A Fortinet spokesperson refused to comment when asked if the vulnerability is actively exploited in the wild when BleepingComputer reached out on Friday and hinted that the company would share more information in the coming days.
Today, days after issuing the private advisory, Fortinet finally admitted that it knows of at least one attack where CVE-2022-40684 was exploited.
“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access,” the company said.
The complete list of Fortinet vulnerable products exposed to attacks attempting to exploit the CVE-2022-40 flaw if left unpatched includes:
FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
FortiSwitchManager : 7.2.0, 7.0.0
Fortinet released security patches last week and asked customers to update vulnerable devices to FortiOS 7.0.7 or 7.2.2 and above, FortiProxy 7.0.7 or 7.2.1 and above, and FortiSwitchManager 7.2.1 or above to defend their devices from attacks.
PoC exploit ready to be released
Security researchers with the Horizon3 Attack Team have developed proof-of-concept (PoC) exploit code and announced its release later this week.
Another appliance vuln down…
CVE-2022-40684, affecting multiple #Fortinet solutions, is an auth bypass that allows remote attackers to interact with all management API endpoints.
Blog post and POC coming later this week. Patch now. pic.twitter.com/YS7svIljAw
— Horizon3 Attack Team (@Horizon3Attack) October 10, 2022
Per a Shodan search, more than 140,000 FortiGate firewalls can be reached from the Internet and are likely exposed to attacks if their admin management interfaces are also exposed.
Workaround also available
Fortinet also provided information on how customers can block incoming attacks even if they cannot immediately deploy security updates.
To block remote attackers from bypassing authentication and logging into vulnerable devices, admins should disable HTTP/HTTPS administrative interface or limit the IP addresses that can reach the administrative interface using a Local in Policy.
Detailed information on how to disable the vulnerable admin interface for FortiOS, FortiProxy, and FortiSwitchManager or limit access per IP address can be found in this Fortinet PSIRT advisory published Monday, October 10.
“If these devices cannot be updated in a timely manner, internet facing HTTPS Administration should be immediately disabled until the upgrade can be performed,” Fortinet said in notifications sent to some of its customers last week.