About CVE-2022-40684

On October 6, 2022, Fortinet disclosed a critical remote authentication bypass vulnerability impacting FortiOS, FortiProxy, and FortiSwitchManager – CVE-2022-40684 that could allow a remote unauthenticated threat actor to obtain access to the administrative interface and perform operations via specially crafted HTTP or HTTPS requests.

On October 10th, Fortinet became aware of an instance where this vulnerability was exploited and provided remediation guidance. At this time, it was added to CISA’s Known Exploited Vulnerabilities Catalog with a recommended due date for resolution of November 1, 2022.

On October 12th, our detection and response services observed threat actors begin exploiting CVE-2022-40684 on a widespread basis by:

  • Accessing and downloading the appliance’s configuration file.
    • We have observed threat actors leverage Node.js and Report Runner to download the file.
    • This includes and is not exclusive to cleartext rules, policies, filtering, usernames, routing configurations. As well as encrypted passwords encrypted via the private-encryption-key.
  • Creating privileged administrator accounts.
  • Uploading and running scripts.

Upon hearing this, ISG and our security partners are recommending prompt patching of all impacted systems, which are listed below.

ISG Managed Perimeter Security customers are being contacted to identify the ideal time to complete these patches and identify any potential impact. ISG has patched our internal systems and is working in lock-step with our security partners to stay appraised of the latest threat intelligence on this vulnerability.

Impacted Systems

  • FortiOS versions 5.x, 6.x are NOT impacted.
  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0
  • FortiSwitchManager version 7.0.0

Recommended Actions to Take

  • Please upgrade to FortiOS version 7.2.2 or above
  • Please upgrade to FortiOS version 7.0.7 or above
  • Please upgrade to FortiProxy version 7.2.1 or above
  • Please upgrade to FortiProxy version 7.0.7 or above
  • Please upgrade to FortiSwitchManager version 7.2.1 or above

Additional Recommendations

As always, ISG recommends following change management best practices for applying upgrades, including:

  • Testing changes in a dev environment before deploying to production to avoid any operational impact
  • Do not expose administrative interfaces externally
  • Limit IP addresses that can reach the administrative interface using a local-in-policy
  • Implement multi-factor authentication (MFA) to make successful exploitation significantly more difficult

For more best practices around network access, reference Fortinet’s user authentication best practices document.

If you should need help applying patches or have any questions, contact us today.