9:35am, 11 October 2022
TLP Rating:
Fortinet software authentication bypass vulnerability
A vulnerability has been discovered that affects FortiOS and FortiProxy. FortiGate and FortiWifi devices run FortiOS and are affected.
This vulnerability (CVE-2022-40684) allows for an attacker to bypass authentication to the administrative interface and may allow them to run commands remotely.
CERT NZ is aware of an open-source report that exploitation has occurred in the wild. We strongly recommend you investigate and patch your FortiOS and FortiProxy products as soon as possible.
What to look for
How to tell if you're at risk
FortiGate/FortiWifi devices running FortiOS and FortiProxy products are vulnerable if they are running:
- FortiOS versions 7.2.0 through to 7.2.1
- FortiOS versions 7.0.0 through to 7.0.6
- FortiProxy version 7.2.0
- FortiProxy versions 7.0.0 through to 7.0.6
If you only have SSL-VPN exposed, this vulnerability does not affect you.
How to tell if you're affected
CERT NZ recommends checking through your devices’ logs for the following indicator of compromise:
user="Local_Process_Access"
What to do
Prevention
Upgrade your FortiOS and FortiProxy products to the latest version:
- Either FortiOS version 7.2.2 or 7.0.7
- Either FortiProxy version 7.2.1 or 7.0.7
Mitigation
For alternative mitigations, CERT NZ recommends disabling HTTPS Administration on interfaces that are exposed to the internet and only allowing HTTPS Administration on a dedicated management network.
More information
Fortinet has published further details:
PSIRT Advisories | FortiGuard (fortinet.com) External Link
.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.