We would like to bring to your attention a newly discovered authentication bypass vulnerability within FortiOS, FortiProxy and FortiSwitchManager. This vulnerability is currently being actively exploited.
An authentication bypass has been identified using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager which allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. The vulnerability has been issued the identifier CVE-2022-40684 and has been given a CVSS score of 9.6.
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0
The current version of FortiOS / FortiGate can be checked with the following command, and should be checked against the known affected products above:
get system status
Additional Fortinet recommend to check the device’s log for the following strings to help detected compromised devices:
Exploited hosts may show records for these strings.
Whilst a workaround has been provided, current best guidance for remediating this issue to to update to an unaffected version.
FortiOS should be updated to version 7.2.2 or above and version 7.0.7 or above.
FortiProxy should be updated to version 7.2.1 or above and version 7.0.7 or above.
FortiSwitchManager should be updated to version 7.2.1 or above.
Exploiting CVE-2023-5044 and CVE-2023-5043 to overtake a Kubernetes Cluster
Delve into the Golden Ticket Attack in Active Directory: a key APT method. Discover its workings, countermeasures, and detection to protect your network.
Uncloaking Radio Frequency Identification (RFID)
Demystify RFID with insights on components, tag types, modulation, and use cases. A concise guide to the intricate world of RFID.
A journey into Badge Life
Explore CovertSwarm’s Badge Life journey from Defcon 30 chaos to Defcon 31 triumphs. Join the hardware hacking adventure in this article!