CVE-2022-40684

About The Vulnerability

  1. FortiOS: As the name suggests FortiOS, the Fortinet Network Operating System, is the heart of the Fortinet Security. This operating system, is at the core of the Security Fabric and ties all components together to ensure a tight integration across an organization’s entire deployment.
  2. FortiProxy: It is a secure web proxy that protects employees against internet-borne attacks by incorporating multiple detection techniques such as web filtering.
  3. FortiSwitchManager (FSWM) is the on-premise management platform for the FortiSwitch product. FortiSwitch units connect to FortiSwitch Manager over the layer-3 network. You can configure a large number of FortiSwitch units with this FortiSwitch-management-only platform.

Impact

  1. Control take over the entire application
  2. Gaining access to internal infrastructure
  3. Addition or deletion of users
  4. Exposure to sensitive data
  5. Modify the admin users’ SSH keys to enable the attacker to login to the compromised system
  6. Tampering with different config files, etc.
  • Using the Fowarded header an attacker is able to set the client_ip to “127.0.0.1”.
  • The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.

Remediation

  1. Up-gradation of impacted products.
    Upgrade FortiOS version to ≥7.2.2 and ≥7.0.7
    Upgrade FortiProxy version to ≥7.2.1 and ≥ 7.0.7
    Upgrade FortiSwitchManager version ≥7.2.1 and ≥7.0.1
  2. Disable the http/https administrative interface on FortiOS, FortiProxy and FortiSwitchManager.
  3. For FortiOS, limit IP addresses that can reach the administrative interface
config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end
config system interface
edit port1
set dedicated-to management
set trust-ip-1 <MY IP> <MY SUBNET>
end

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store