FortiOS / FortiProxy / FortiSwitchManager - Authentication Bypass (CVE-2022-40684)

We would like to bring to your attention a newly discovered authentication bypass vulnerability within FortiOS, FortiProxy and FortiSwitchManager. This vulnerability is currently being actively exploited.


An authentication bypass has been identified using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager which allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. The vulnerability has been issued the identifier CVE-2022-40684 and has been given a CVSS score of 9.6.


Affected Products

  • FortiOS version 7.2.0 through 7.2.1

  • FortiOS version 7.0.0 through 7.0.6

  • FortiProxy version 7.2.0

  • FortiProxy version 7.0.0

  • FortiSwitchManager version 7.2.0

  • FortiSwitchManager version 7.0.0

Detection


The current version of FortiOS / FortiGate can be checked with the following command, and should be checked against the known affected products above:

get system status

Additional Fortinet recommend to check the device’s log for the following strings to help detected compromised devices:

  • user=”Local_Process_Access”

  • user_interface=”Node.js”

  • user_interface=”Report Runner”

Exploited hosts may show records for these strings.


Remediation


Whilst a workaround has been provided, current best guidance for remediating this issue to to update to an unaffected version.

  • FortiOS should be updated to version 7.2.2 or above and version 7.0.7 or above.

  • FortiProxy should be updated to version 7.2.1 or above and version 7.0.7 or above.

  • FortiSwitchManager should be updated to version 7.2.1 or above.

References