Nasty vulnerability in Fortinet firewalls, proxies abused in real-world attacks

Hand increasing the protection level by turning a knob
(Image credit: Shutterstock)

Fortinet has patched a high-severity vulnerability in multiple services that allowed threat actors remote access and was being abused in the wild. 

In a security advisory published late last week, the company described the flaw as an authentication bypass on the admin interface, allowing unauthenticated individuals to log into FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager on-prem management instances.

The flaw is being tracked as CVE-2022-40684.

Urgent matters

"An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests," Fortinet’s announcement reads.

The company also said the patch was released this Thursday and added that it notified some of its customers via email, urging them to disable remote management user interfaces “with the utmost urgency”.

A couple of days after releasing the patch, the company came out with more details, claiming it found evidence of at least one real-life campaign leveraging the flaw:

"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user="Local_Process_Access," the company said.

These are the Fortinet products that should be patched immediately:

  • FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
  • FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
  • FortiSwitchManager : 7.2.0, 7.0.0

According to BleepingComputer, at least 140,000 FortiGate firewalls can be accessed via the internet and are “likely” exposed to attacks, if their admin management interfaces are also exposed, it said. Those that are unable to patch their endpoints right away should block attackers by disabling HTTP/HTTPS admin interfaces or limit the IP addresses that have access via Local in Policy, it was explained. 

"If these devices cannot be updated in a timely manner, internet-facing HTTPS Administration should be immediately disabled until the upgrade can be performed," Fortinet concluded.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.