Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and at least one vulnerability scanner for the flaw.
The vulnerability (CVE-2022-40684) is present in multiple versions of Fortinet’s FortiOS, FortiProxy, and FortiSwitch Manager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, potentially using that as an entry point to the rest of the network.
Added to CISA’s Known Exploited Vulnerabilities Catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies — which are required to remediate vulnerabilities in the catalog within specific deadlines — have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted that it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISA’s deadline for implementing fixes.
Fortinet privately notified customers of the affected products about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions.
“Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade,” Fortinet said in its private notification, a copy of which was posted on Twitter the same day.
Fortinet followed up with a public vulnerability advisory on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to download the configuration file from affected systems and to add a malicious super_admin account called “fortigate-tech-support”.
Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability, along with a technical deep dive of the flaw. A template for scanning for the vulnerability has also become available on GitHub.
Exacerbating the concerns is the relatively low bar for exploiting the flaw. “This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system,” Johannes Ullrich, dean of research at the SANS Institute, tells Dark Reading.
Increase in Scanning Activity for the Flaw
James Horseman, exploit developer at Horizon3.ai, says public data from GreyNoise — which tracks Internet scanning activity hitting security tools — shows the number of unique IPs using the exploit has grown from the single digits a few days ago to over 40 as of Oct. 14.
“We expect the number of unique IPs using this exploit to rapidly increase in the coming days,” Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search, for instance, shows more than 100,000 Fortinet systems worldwide.
“Not all of these will be vulnerable, but a large percentage will be,” Horseman says.
Ullrich says he has observed scans associated with an older FortiGate vulnerability (CVE-2018-13379) hitting SANS’ honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.
One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten, it is likely the old vulnerability will get patched as well now, he says.
“Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available,” he theorizes. “The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices.”
A Popular Attacker Target
Concerns over vulnerabilities in Fortinet products are not new. The company’s technologies — and those of others selling similar appliances — have been frequently targeted by attackers trying to gain an initial foothold on target network.
Last November, the FBI, CISA, and other agencies issued an advisory warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021 warned of attackers exploiting flaws in FortiOS to break into multiple government, commercial, and technology services.
Zach Hanley, chief attack engineer at Horizon3.ai, says, “These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organization’s internal networks to launch further attacks.”
Fortinet itself has recommended that organizations that are able to should update to the newly patched versions of FortiOS, FortiProxy, and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrative interface of the affected products.
Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. He adds, “However, an organization should be able to apply [the] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance.”
