Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684)

After privately warning customers last week that they need to patch or mitigate CVE-2022-40684, a critical vulnerability affecting FortiOS, FortiProxy, and FortiSwitchManager, Fortinet has finally confirmed that it “is aware of an instance where this vulnerability was exploited.”

But their advice to organizations to immediately check their systems for a specific indicator of compromise makes it sound like they believe more widespread attacks have happened or are happening.

About CVE-2022-40684

CVE-2022-40684 is an authentication bypass vulnerability on vulnerable devices’ administrative interface that can be triggered by sending a specially crafted HTTP(S) requests.

It affects:

• FortiOS versions: 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
• FortiProxy versions: 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
• FortiSwitchManager versions: 7.2.0, 7.0.0

Successful exploitation may allow attackers with access to the management interface to perform administrator operations and to, essentially, take control of the device.

The patch has already been reverse-engineered by security researchers:

It seems likely that other attackers will soon get their hands on an exploit or create one themselves and start targeting exposed and vulnerable FortiGate firewalls and FortiProxy secure web gateways around the world. (FortiOS vulnerabilities are often exploited by attackers).

What should you do?
You should upgrade your Fortinet appliances to a firmware version with the fix:

FortiOS version 7.2.2 or above, or version 7.0.7 or above
FortiProxy version 7.2.1 or above, or 7.0.7 or above
FortiSwitchManager version 7.2.1 or above
If that’s not possible, depending on the device, you should disable the HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface.

Finally, you should look for the following string in the device’s logs: user=”Local_Process_Access”. If you find it, your device has been compromised, and you should investigate the extent of the breach.

Source: https://www.helpnetsecurity.com/2022/10/11/cve-2022-40684-exploited/