Fortinet Confirms Active Exploitation of Critical Vulnerability in Firewall and Proxy Products
On Monday, Fortinet disclosed a critical security vulnerability affecting its firewall and proxy offerings, warning that the flaw is currently being exploited in the wild. This vulnerability, tracked as CVE-2022-40684 and rated with a CVSS score of 9.6, allows attackers to bypass authentication protocols within FortiOS, FortiProxy, and FortiSwitchManager. By utilizing carefully crafted HTTP(S) requests, an unauthorized remote actor can gain access to the administrative interface, posing significant risks to network security.
Fortinet has acknowledged that they are aware of specific instances where this vulnerability has been exploited. As a precautionary measure, the company advises users to check system logs for the indicator of compromise: user=”Local_Process_Access.” This information was shared in a recent advisory, emphasizing the urgency of addressing the issue.
Affected products include various versions of FortiOS, FortiProxy, and FortiSwitchManager, notably versions released between 7.0.0 and 7.2.1. Fortinet has since released patched versions, including FortiOS versions 7.0.7 and 7.2.2, along with updates for FortiProxy and FortiSwitchManager.
The disclosure of this vulnerability follows Fortinet’s communications to its customers, urging immediate patch application to mitigate potential threats. The timing suggests an increased urgency, as federal agencies are now required to implement these patches by November 1, 2022, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added this vulnerability to its Known Exploited Vulnerabilities catalog.
For organizations unable to update their systems, Fortinet recommends disabling the HTTP/HTTPS administrative interface or restricting access to this interface to specific IP addresses, a temporary measure to enhance security while awaiting patches.
Experts in the field are concerned that threat actors will soon exploit this vulnerability widely. Zach Hanley, a chief attack engineer at Horizon3.ai, remarked on the appeal of vulnerabilities affecting edge devices within corporate networks. This vulnerability, he noted, has the potential to facilitate perimeter breaches, making it highly attractive to attackers.
Potential tactics involved in this incident align with the MITRE ATT&CK framework, particularly under initial access, persistence, and privilege escalation. These techniques highlight the methods that attackers could leverage to gain unauthorized access to sensitive network components.
In the coming days, further details and proof-of-concept (PoC) code for the vulnerabilities will likely surface, raising concerns that more adversaries may incorporate this exploit into their strategies. The history of past vulnerabilities, such as CVE-2018-13379, indicates that flaws within Fortinet’s infrastructure have consistently attracted malicious activity, suggesting this latest vulnerability could similarly be targeted.
As the cybersecurity landscape continues to evolve, business owners must remain vigilant and proactive, ensuring their systems are updated and secure against emerging threats.