A variety of attackers are actively exploiting the recently patched authentication bypass in several Fortinet products that allows full access to a vulnerable device.
The details of the vulnerability (CVE-2022-40684) emerged publicly on Oct. 10 when Fortinet published an advisory and warned that targeted attacks were exploiting the bug. The flaw affects FortiOS, FortiProxy, and FortiSwitch Manager and an attacker can exploit it simply by sending a malicious request to the exposed web interface. A successful attack gives the threat actor the ability to gain administrator privileges on a compromised device.
“An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work,” James Horseman of Horizon3.ai, an offensive security firm, said in an analysis of the flaw.
Horizon3.ai has published a proof of concept exploit for this vulnerability, as have other sources, and in the last day or so, attackers have begun targeting the bug. Data from GreyNoise, which tracks attack activity, shows 44 individual IP addresses attempting to exploit the flaw.
“FortiOS handles API calls by proxying all requests to an interface that is only accessible internally. This internal interface is responsible for verifying authentication and authorization. Proxied requests contain some additional parameters which can be used by FortiOS to bypass or authenticate internal requests. This allows an attacker to masquerade as an internal system API call, bypassing authentication on all externally-facing API endpoints,” GreyNoise researchers said in a blog post.
Fortinet has released updates for all of the affected products and recommends that customers running vulnerable versions install the updates as soon as possible. For organizations that are not able to update right away, the key workaround is to disable the HTTP administrator interface.
“The ability to make unauthenticated request to the the REST API is extremely powerful. However, we noticed that we could not add or change the password for the admin user. To get around this we updated the admin users SSH-keys to allow us to SSH to the target as admin,” Horseman said.
“This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted.”