FortiOS, FortyProxy, and FortiSwitch Manager Authentication Bypass Vulnerability on Administrative Interface (CVE-2022-40684)

Fortinet has patched a critical authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager products. Tracked as CVE-2022-40684, this is an authentication bypass vulnerability that could allow an attacker to perform unauthorized operations on vulnerable devices. CISA has added this vulnerability to its Known Exploitable Vulnerabilities Catalog.

Fortinet addressed the vulnerability by tweeting, “Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade.”
Fortinet is the industry pioneer in secure networking that comes with flawless convergence that scales to any location—remote office, branch, campus, data center, and cloud. 

The Fortinet Security Fabric’s brain is its network operating system, FortiOS. The Security Fabric’s operating system, or software, connects all its parts and ensures tight integration throughout the deployment of the Security Fabric across an enterprise. 

FortiProxy is a secure web proxy that protects employees against internet-borne attacks by using several detection methods like web filtering, DNS filtering, data loss prevention, antivirus, intrusion prevention, and sophisticated threat protection.

The FortiSwitch Manager module enables users to centrally manage FortiSwitch templates and VLANs. It also helps in monitoring FortiSwitch devices connected to FortiGate devices. For particular FortiSwitch platforms, users can set up different templates that can be applied to various devices. 

Description 
This authentication bypass flaw can be exploited using an alternate path or channel in FortiOS, FortiProxy, and FortiSwitch Manager products. On successful exploitation, this could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Fortinet has mentioned in the advisory, “Fortinet is aware of an instance where this vulnerability was exploited and recommends immediately validating your systems against the following indicator of compromise in the device’s logs:

user=”Local_Process_Access”

Proof of Concept

Security Researchers at Horizon3.ai released the Proof of Concept on October 13th, 2022. We tested the available POC on our targets and were able to replicate the issue.

The exploit code requires uploading a public SSH key to the vulnerable target. The first step is to generate an SSH key pair using the ssh-keygen command as follows: 

Image Source: Qualys Labs

Once an SSH key pair has been generated, the exploit can be executed as follows: 

Image Source: Qualys Labs

The exploit code uploads the public SSH key by sending a PUT request to the ‘/api/v2/cmdb/system/admin/admin endpoint of the vulnerable server.  

Image Source: Qualys Labs 

After the key is uploaded, the exploit checks for the “SSH key is good” string in the cli_error field.  The presence of the string indicates that the SSH public key was uploaded successfully, and the target is vulnerable. Now one can simply use the private SSH key to login to the compromised system. 

Image Source: Qualys Labs 

Affected versions 

    • FortiOS version 7.2.0 through 7.2.1 
    • FortiOS version 7.0.0 through 7.0.6 
    • FortiProxy version 7.2.0 
    • FortiProxy version 7.0.0 through 7.0.6 
    • FortiSwitch Manager version 7.2.0 
    • FortiSwitch Manager version 7.0.0 

Mitigation

Customers should upgrade to the following versions to mitigate the vulnerability: 

  • FortiOS version 7.2.2 or above 
  • FortiOS version 7.0.7 or above 
  • FortiProxy version 7.2.1 or above 
  • FortiProxy version 7.0.7 or above 
  • FortiSwitch Manager version 7.2.1 or above 

For more information, please refer to the PSIRT Advisory.

Workaround 

FortiOS: 
Disable HTTP/HTTPS administrative interface
OR 
Limit IP addresses that can reach the administrative interface: 

config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end

Then create an Address Group:  

config firewall addrgrp 
edit "MGMT_IPs" 
set member "my_allowed_addresses" 
end

Create the Local in Policy to restrict access only to the predefined group on the management interface (here: port1): 

config firewall local-in-policy 
edit 1 
set intf port1 
set srcaddr "MGMT_IPs" 
set dstaddr "all" 
set action accept 
set service HTTPS HTTP 
set schedule "always" 
set status enable 
next 
edit 2 
set intf "any" 
set srcaddr "all" 
set dstaddr "all" 
set action deny 
set service HTTPS HTTP 
set schedule "always" 
set status enable 
end

If using non-default ports, create an appropriate service object for GUI administrative access:

config firewall service custom 
edit GUI_HTTPS 
set tcp-portrange <admin-sport> 
next 
edit GUI_HTTP 
set tcp-portrange <admin-port>
end

Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below. 

Please contact customer support for assistance.

FortiProxy:
Disable HTTP/HTTPS administrative interface 
OR 
Limit IP addresses that can reach the administrative interface (here: port1):

config system interface 
edit port1 
set dedicated-to management 
set trust-ip-1 <MY IP> <MY SUBNET> 
end

Please contact customer support for assistance.

FortiSwitch Manager: 
Disable HTTP/HTTPS administrative interface

Please contact customer support for assistance.

Qualys Detection  
Qualys customers can scan their devices with QIDs 43921 and 730623 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References
https://support.fortinet.com/information/bulletin.aspx  
https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html  
https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/  

Leave a Reply

Your email address will not be published. Required fields are marked *