News surfaced late last week of a critical authentication bypass vulnerability present in the web administration interface of some Fortinet products. Successful exploitation of this vulnerability (tracked as CVE-2022-40684) via crafted HTTP and HTTPS requests can provide remote attackers with admin-level command execution on vulnerable FortiOS devices including FortiGate firewalls, FortiProxy web proxies, and FortiSwitchManager assets.
What is the impact?
With a CVSS critical score of 9.6, attackers running admin-level commands on compromised assets may have the ability to persist presence, explore connected internal networks, and exfiltrate data. Fortinet is aware of at least one exploit of this vulnerability in the wild, and Bleeping Computer offered a Shodan search showing more than 140k publicly accessible FortiGate devices which may be running vulnerable FortiOS. Additionally, security researchers with Horizon3.ai are planning on publishing an exploit PoC this week. For admins wanting to check if a FortiOS/FortiProxy/FortiSwitchManager asset has been exploited, Fortinet does provide an indicator of compromise (see the “Exploitation Status” section).
Are updates available?
Fortinet has called out the vulnerable FortiOS, FortiProxy, and FortiSwitchManager versions in their advisory and has made updates available for affected products. Admins should ensure that affected models are updated to the latest version as soon as possible. If updates cannot be completed in the near term, Fortinet does provide some mitigation steps (see the “Workaround” section) that can be taken to secure vulnerable assets.
How do I find potentially vulnerable FortiOS, FortiProxy, and FortiSwitchManager assets with runZero?
From the Asset Inventory, use the following pre-built query to locate FortiOS, FortiProxy, and FortiSwitchManager assets that may need remediation:
os:FortiOS or product:FortiProxy or product:FortiSwitchManager
As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
