Skip to Content

Fortinet gear APT abuse CVE-2022-40684

Updated on 2022-10-24: Fortinet gear APT abuse

CYFIRMA researchers said they’d observed multiple APT groups exploiting CVE-2022-40684, a recently disclosed/patched authentication bypass in Fortinet devices. Read more: Fortinet Authentication Bypass Vulnerability Exploited by Threat Actors

“The suspected threat actors are US17IRGCorp aka APT34, HAFNIUM, and its affiliates in the ongoing campaign’ درب عقب’ translating to ‘Tailgate’.”

Updated on 2022-10-17

Fortinet is urging users to take steps to patch their FortiOS, FortiProxy and FortiSwitchManager appliances to protect them from an authentication bypass vulnerability. The flaw can be exploited to gain admin access through maliciously crafted HTTP/HTTPS requests. If users are unable to update immediately, they are advised to disable the HTTP/HTTPS administrative interface or limit IP addresses that are able to reach that interface. The flaw, CVE-2022-40684, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Note

  • There appear to be a lot of organizations unaware that they are using a vulnerable appliance. Please double check and scan your network for these devices. As usual: Do not expose admin interfaces to the internet (web or ssh). In our honeypots, we saw exploit attempts as soon as the details were made public.
  • Fortinet is actively reaching out to customers and urging them to apply the update or mitigations. If you have affected Fortinet gear, make sure that no unauthorized/unexpected changes have been made. Verify the update has been applied and review the Fortinet bulletin for other IOCs, make sure you’re golden. Even if you don’t have Fortinet gear, make sure that you’re limiting access to the administrative interfaces of your boundary control devices.
  • I know many vendors provided web based administration capabilities for their devices, but I believe the risks of such a solution far outweigh the benefits provided. My recommendation is configure any remote administration of a firewall or other security devices to use a VPN that is protected by strong MFA.
  • On the surface, having your management interfaces exposed to the internet would normally be something we would consider a bad practice. This is until you realize that many enterprises will attempt to manage their sites using cloud-based management interfaces that require this configuration. The only current saving grace is that 7.0 and 7.2, which are the current vulnerable ones, are not yet widely deployed.

Read more in

Updated on 2022-10-16: CISA adds Fortinet bug to exploited vulnerabilities list

Bad week for Fortinet customers — and government agencies — that have to scramble to fix a critical-rated vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, tracked as CVE-2022-40684. The bug allows unauthenticated attackers to “perform operations on the administrative interface,” which is pretty bad for a security appliance. CISA has ordered civilian fed agencies until November 1 to shore up their systems. Security researchers say some 10,000 appliances are exposed to the internet, but there are likely many more vulnerable appliances out there. Proof of concept code is out already as internet watchers note a rise of active exploitation in the wild. “An attacker can use this vulnerability to do just about anything they want to the vulnerable system,” including adding users and changing networking configurations. Read more:

Updated on 2022-10-14: Public PoC for Fortinet zero-day

There is now a publicly-accessible proof-of-concept exploit for the recently disclosed Fortinet zero-day tracked as CVE-2022-40684. Read more: FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)

Updated on 2022-10-12: CISA Adds Fortinet Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a Fortinet authentication bypass vulnerability (CVE-2022-40684) to its Known Exploited Vulnerabilities catalog. CISA has also added a Microsoft Windows COM+ Event System Service privilege elevation vulnerability (CVER 2022-41033) to the catalog; Microsoft released a fix for the flaw earlier this week. Both vulnerabilities have mitigation due dates of November 1.

Note

  • While not a lot about the Fortigate flaw is disclosed, note that not only should you apply their provided update, but also limit access to administration interfaces. Make sure that you’re not exposing any management interfaces directly to the Internet. If you don’t find them, Shodan will.

Read more in

Updated on 2022-10-11

Fortinet confirms zero-day: Fortinet said on Monday that the CVE-2022-40684 auth bypass vulnerability it fixed last week was also exploited in attacks in the wild. The company sent a private notification to all customers last week, asking them to install the most recent security patch, but did not say anything about the vulnerability being exploited, which would most likely led to a more rapid patching effort. Read more: FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface

Updated on 2022-10-10

Fortinet says that a critical authentication bypass vulnerability in its FortiOS, FortiProxy and FortiSwitchManager products is being actively exploited. The flaw can allow attackers to bypass the product’s administrative interfaces. Fortinet released a fix for the flaw last week. Fortinet is urging users to update as follows: for FortiOS update from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1; for FortiProxy, update from 7.0.0 to 7.0.6 and 7.2.0.

Note

  • More details and a likely PoC exploit are expected later this week. This is not just a “must patch now” issue, but yet another reason to verify that your admin interfaces are not exposed. Starting yesterday, we saw an increase in scans for an older Fortinet vulnerability. This may either be due to the publicity around the flaw, or someone using an older attack tool to fingerprint devices in order to build target lists.
  • Until you’ve applied the update, you can disable access to the web administration interface, or limit which hosts are allowed to connect to it. Even after you’ve applied the update, keep access to the web interface limited to only the devices which _MUST_ use it.

Read more in

Overview: Fortinet auth bypass

Networking equipment vendor Fortinet privately notified customers last week about an authentication bypass (tracked as CVE-2022-40684) in the web admin interface of its FortiGate firewalls and FortiProxy web proxies. It’s unclear why the company notified customers in private instead of a public security advisory, so all clues now suggest the issue may be easily exploitable.

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.