A critical authentication bypass vulnerability exists in multiple Fortinet products, including the FortiOS, FortiProxy, and FortiSwitchManager.
According to Fortinet’s vulnerability disclosure, CVE-2022-40684 could be abused by an authenticated attacker to send specially crafted HTTP requests on affected Fortinet products. For instance, an attacker could obtain elevated privileges by adding SSH keys to administrative accounts.
By targeting the affected versions of Fortinet products, an attacker could take advantage of a controlling mechanism in a function responsible for evaluating the affected devices’ access to the REST API functionality. While exploiting this vulnerability, the attacker adds an SSH key to the admin user, enabling access to SSH into the affected system as admin.
A scan performed by Cyble revealed over 100,000 instances of publicly exposed Fortinet’s FortiGuard firewalls globally. The vulnerability affects FortiOS versions prior to 7.2.1, FortiProxy versions prior to 7.2.0, and FortiSwitchManager versions prior to 7.2.0.
On November 17, 2022, an unnamed threat actor started advertising the FortiOS VPN access on underground forums. Evidence suggests that the attacker attempted to add their public key to the admin user’s account, suggesting that the victim runs unpatched Fortinet products.
Mitigations
- Update affected products with the latest patch released by the official vendor.
- Continuous monitoring and logging of activities on the network for anomalies.
- Active monitoring of the dark web and cybercrime forums can help early detect and mitigate new TTP deployed by threat actors.
Conclusion
The vulnerability has been classified as critical, with large numbers of exposed assets that belong to private-public entities exposed over the internet. Publicly distributed Proof of Concepts (POCs) and automation tools have made it more convenient for threat actors to easily target victim organizations within a few days of the announcement of the new CVE.
Organizations stand a high-risk impact from the vulnerability as it is actively being exploited by threat actors distributing access and leaks over the dark web and other cybercrime forums.
