Fortinet Issues Emergency Patch for Authentication Bypass

Highlights:

• According to Security Week, the email was disseminated across several social media platforms and Fortinet forums in the days that followed.

Following a serious flaw found and made public last week, Fortinet Inc. released emergency patches for several of its products today.

The vulnerability, identified as CVE-2022-40684, has been outlined by Fortinet as an authentication bypass. The bypass uses a different path or channel vulnerability in FortiOS, FortiProxy, FortiOS and FortiSwitchManager that could let a dubious attacker execute work on the administrative interface through a specially crafted HTTP or HTPPS request. Fortinet said that it knows of a situation where the vulnerability was used.

Last week, Fortinet sent emails to “select customers” about the vulnerability. According to Security Week, copies of the email were disseminated across several social media platforms and Fortinet forums in the days that followed.

A few versions of the Fortinet software that were exposed to the vulnerability included FortiOS 7.0.0 to 7.06, 7.2.0, and 7.2.1; FortiProxy 7.0.0 to 7.0.6 and 7.2.0; and FortiSwitchManager 7.0.0 and 7.2.0. FortiOS has released updated versions for FortiOS 7.0.7 and 7.2.2 and higher, FortiProxy 7.0.7 and 7.2.1 and higher, and FortiSwitchManager 7.2.1 or higher.

Besides launching patches and new versions of the software that was affected, Fortinet recommends that users check their systems against the user=”Local Process Access” in device logs. There are other ways to fix the problem for people who can’t install a patch, at least right away.

For FortiOS and FortProxy, you can get around the problem by turning off HTTP/HTTPS administrative access or limiting IP addresses that can reach the administrative interface. The only thing one can do with FortiSwitchManager is to turn off the HTTP/HTTPS administrative access. Customers can also call Fortinet customer support to help with these options.

Even though Fortinet has released patches and workarounds, there is still a chance that the vulnerability can still be exploited. The Horizon3 Attack Team tweeted that it is currently developing a proof-of-concept exploit, which it intends to publish later this week.

Fortinet did not disclose how many of its customers were affected. However, Cyberthint, a cyber threat intelligence platform company, thinks that more than 150,000 Fortinet devices are open to attack.