Authentication Bypass Vulnerability in Fortinet Products (CVE-2022-40684)

BACKGROUND
 
Fortinet has released a critical warning of a high severity vulnerability, CVE-2022-40684, which is affecting FortiOS, FortiProxy and FortiSwitchManager. 
 
In Brunei, there are over 200 Fortinet devices exposed to the Internet and it is strongly advisable that the affected agencies patch their devices the soonest. 
 
Successful exploitation allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests using an alternate path or channel. The attack does not require any user interaction and can be executed remotely.

IMPACT
 
•     Allow attackers to perform operations on the administrative interface. 
•    Execute unauthorized code or commands.
•    May lead to another lateral movement attack.
 
AFFECTED SYSTEMS

•    FortiOS version 7.2.0 through 7.2.1 
•    FortiOS version 7.0.0 through 7.0.6 
•    FortiProxy version 7.2.0 
•    FortiProxy version 7.0.0 through 7.0.6 
•    FortiSwitchManager version 7.2.0
•    FortiSwitchManager version 7.0.

RECOMMENDATIONS
 
Update and patch to the latest version:

  •   FortiOS version 7.2.2 or above 
  •   FortiOS version 7.0.7 or above 
  •   FortiProxy version 7.2.1 or above
  •   FortiProxy version 7.0.7 or above
  •   FortiSwitchManager version 7.2.1 or above

FortiOS:

  •   Disable HTTP/HTTPS administrative interface, OR
  •   Limit IP addresses that can reach the administrative interface:
    •    config firewall address 
    •    edit "my_allowed_addresses" 
    •    set subnet <MY IP> <MY SUBNET> 
    •    end 

 

  •   Then create an Address Group:
    •    config firewall addrgrp 
    •    edit "MGMT_IPs" 
    •    set member "my_allowed_addresses" 
    •    end
  •   Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1): 
    •    config firewall local-in-policy 
    •    edit 1 
    •    set intf port1 
    •    set srcaddr "MGMT_IPs" 
    •    set dstaddr "all" 
    •    set action accept 
    •    set service HTTPS HTTP 
    •    set schedule "always" 
    •    set status enable 
    •    next 
    •    edit 2 
    •    set intf "any" 
    •    set srcaddr "all" 
    •    set dstaddr "all" 
    •    set action deny 
    •    set service HTTPS HTTP 
    •    set schedule "always" 
    •    set status enable 
    •    end

 

  •   If using non default ports, create appropriate service object for GUI administrative access: 
    •    config firewall service custom 
    •    edit GUI_HTTPS 
    •    set tcp-portrange <admin-sport> 
    •    next 
    •    edit GUI_HTTP 
    •    set tcp-portrange <admin-port> 
  •    end

 

  •   Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

FortiProxy:

  •   Disable HTTP/HTTPS administrative interface, OR
  •   Limit IP addresses that can reach the administrative interface (here: port1):
    •    config system interface 
    •    edit port1 
    •    set dedicated-to management 
    •    set trust-ip-1 <MY IP> <MY SUBNET> 
    •    end

 
        FortiSwitchManager:

  •   Disable HTTP/HTTPS administrative interface