October 14, 2022

A Fortinet vulnerability in FortiGate firewalls and FortiProxy web proxies could allow a threat actor to perform unauthorized actions on vulnerable devices.

Fortinet has issued security updates to fix the vulnerability and has urged customers in private alert to disable remote management interfaces on affected devices “with utmost urgency.”

The bug, a critical bug traced as CVE-2022-40684, has a severity of 9.6 and affects some versions, including: FortiOS from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1; FortiProxy from 7.0.0 to 7.0.6 and 7.2.0. It has however been addressed in FortiOS versions 7.0.7 and 7.2.2, and FortiProxy versions 7.0.7 and 7.2.1 released this week.

Fortinet explained that the vulnerability is related to an authentication bypass vulnerability that could allow an unauthenticated threat actor to perform arbitrary operations on the administrative interface via a specially crafted HTTP(S) request.

Security experts from Horizon3.ai provided a proof-of-concept (PoC) exploit and a technical analysis of the root cause of the vulnerability. This exploit can exploit the authentication bypass flaw to set an SSH key for the user, which is specified from the command line when the Python script is started.

Horizon3.ai researchers explained that attackers can also compromise systems by changing the administrators’ SSH keys to allow the attacker to log into the compromised system; add new local users; update network configurations to redirect traffic; download the system configuration and initiate packet captures to collect other sensitive system information.

The sources for this piece include an article in BleepingComputer.