The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1. FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0 are also impacted.
The cybersecurity firm addressed the flaw with the release of FortiOS/FortiProxy versions 7.0.7 or 7.2.2. The company also provided a workaround for those who can’t immediately deploy security updates.
An attacker can exploit the vulnerability to log into vulnerable devices.
“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT.
The company urges customers of addressing this critical vulnerability immediately due to the risk of remote exploitation of the flaw. The public availability of the PoC exploit code can fuel a wave of attacks targeting Fortinet devices.
The bad news is that the vendor confirmed this week that the critical vulnerability is being exploited in the wild.
An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT.
“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access.””
Researchers at the Horizon3 Attack Team have released a proof-of-concept (PoC) exploit code for the vulnerability.
“FortiOS exposes a management web portal that allows a user to configure the system,” reads the post published by Horizon3.ai. “Additionally, a user can SSH into the system which exposes a locked down CLI interface.”
The researchers demonstrated the vulnerability using FortiOS version 7.2.1, below are the necessary conditions of a request for exploiting the issue:
client_ipis “127.0.0.1” and the
User-Agentis “Report Runner” both of which are under attacker control.
“Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures.” continues the post.
Experts pointed out that there are other ways to exploit this vulnerability and there may be other sets of conditions that work. This means that threat actors could develop their own exploit and use it in attacks in the wild, for this reason, it is essential to address the flaw immediately.
Researchers at Threat intelligence firm GreyNoise have already reported attacks attempting to exploit the issue. The attacks originated from 12 unique IP addresses, most of them located in Germany, followed by the US, Brazil, China, and France.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, CVE-2022-40684)