The Fortinet authentication bypass vulnerability that was discovered last week and has been confirmed in the wild was the subject of at least two recent research blogs and on Tuesday was entered into the CISA Known Exploited Vulnerabilities (KEV) Catalog.
Fortinet released an update on Monday that detailed how security teams can check their logs for indicators of compromise, a topic that was also covered in a blog yesterday by Horizon3.ai.
Jerrod Piker, competitive intelligence analyst at Deep Instinct, explained that this exploit – CVE-2022-40684 – functions as a vulnerability in the HTTP/S admin access to most Fortinet solutions. Piker said any organizations that deployed Fortinet devices running FortiOS, FortiProxy, or FortiSwitchManager should immediately respond to this alert, especially since CVE-2022-40684 has been exploited in the wild.
Piker added that the vulnerability lets an unauthenticated user perform administrative actions through the HTTP/S administration portal. These actions may include, but are not limited to: admin SSH key modification to allow access by remote attacker; creation of new local users; modification of configuration to reroute traffic; and access to full system configurations.
Mike Parkin, senior technical engineer at Vulcan Cyber, said vulnerabilities in security products are always problematic, especially when it’s on an edge or gateway device.
“While Fortinet has released an update and offers workarounds that could mitigate the risk, because there’s evidence this has already been exploited in the wild, anyone using the affected products should update sooner, rather than later, and at least restrict access to the devices per industry best practices,” Parkin said.
David Farquhar, solutions architect at Nucleus Security, which also published a blog on Tuesday by Ryan Cribelar on this vulnerability, said the Fortinet products are the types of devices that live at the edge of the network, so they are intended to protect it. As a result, Farquhar said they are the very last place that organizations want an attacker getting access to the management interface.
“In theory, you shouldn’t have that management interface accessible on the internet,” Farquhar said. “Unfortunately, sometimes an organization will make that management interface accessible temporarily, but then forget to close it back up, leaving them exposed. This is one reason why it’s very important to make sure that security teams are scanning all of their publicly-facing address space and looking for things that shouldn’t be there, like management interfaces."
