Key takeaway: Fortinet products are a popular attacker target. Update now if you have affected versions of FortiOS and FortiProxy in your environment. If you cannot patch immediately disable Internet facing HTTPS Admin till you can.[296 words]
What: A critical authentication bypass vulnerability (CVE-2022-40684) exists in the following FortiOS and FortiProxy versions.
FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0
The vulnerability allows a remote, unauthenticated attacker to gain full administrative control of affected systems via specially crafted HTTP or HTTPS requests. Earlier versions of the software are not affected.
Fortinet’s Advice: Fortinet has recommended that organizations immediately update to the following versions:
FortiOS: FortiOS versions 7.0.7 and 7.2.2
FortiProxy version 7.0.7
Organizations that are unable to immediately update should disable HTTPS admin access via the Internet till they are able to update. “If you can’t upgrade now, a good recommendation is to block access from unknown IP addresses to the affected products,” the SANS Internet Storm Center has advised.
Why organizations should pay attention: Fortinet’s technologies are a popular target for threat actors trying to gain an initial foothold on target networks. Last year the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) warned of APT groups actively targeting a set of known FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-559. In November 2021, a joint cybersecurity advisory from US, Australian and UK authorities warned of an Iranian government sponsored APT scanning devices on ports 4443, 8443, and 10443 for specific Fortinet FortiOS vulnerabilities: CVE-2018- 13379, CVE-2020-12812 and CVE-2019- 5591
Further Reading:
Details on previous attacks on FortiOS/FortiProxy
Joint Cybersecurity Advisory, Nov. 2021
FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities, April 2021