A vulnerability has been discovered in FortiOS, FortiProxy and FortiSwitchManager, which could allow for authentication bypass on administrative interface. FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines. FortiProxy is a secure web proxy that protects employees against internet-borne attacks by incorporating multiple detection techniques. FortiSwitch Manager is an on-premise management platform for the FortiSwitch product. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Systems Affected

• FortiOS version 7.2.0 through 7.2.1
• FortiOS version 7.0.0 through 7.0.6
• FortiProxy version 7.2.0
• FortiProxy version 7.0.0 through 7.0.6
• FortiSwitchManager version 7.2.0
• FortiSwitchManager version 7.0.0

Risk
Government:

- Large and medium government entities: High

- Small government entities: High

Businesses:

- Large and medium business entities: High
- Small business entities: High

Home Users: Low

‍

Technical Summary

A vulnerability has been discovered in FortiOS, FortiProxy and FortiSwitchManager, which could allow for authentication bypass on administrative interface. Details of this vulnerability are as follows:
‍
Tactic: Initial Access  (TA0001):
‍
Technique: Exploit Public Facing Application (T1190):
‍
CVE-2022-40684 - An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

‍

Recommendations

• Apply appropriate updates or workarounds provided by Fortinet to vulnerable systems immediately after appropriate testing.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Restrict execution of code to a virtual environment on or in transit to an endpoint system.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

References
‍
Fortinet:​​​​​​ https://www.fortiguard.com/psirt/FG-IR-22-377‍‍

Bleeping Computer:‍ https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/‍‍

CVE:‍ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684

‍

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

‍