Authentication Bypass Vulnerability in FortiGate FortiOS and FortiProxy (CVE-2022-40684)

Updates

10/10 - Fortinet has released their FG-IR-22-377 advisory and noted that exploitation has been observed. Refer to the Tenable blog post linked below for more information.

10/7 - A blog post has been published. More information below. 

Last week, Tenable Research began investigating a newly released CVE, CVE-2022-40684, affecting FortiGate FortiOS and FortiProxy. At the time, no PSIRT release from FortiGate had been released however, several social media threads have provided screenshots of a Fortinet Customer Support Bulletin (CSB-221006-1) that recommended administrators to patch this with the “utmost urgency.” Their advisory has since been released and notes that exploitation has been observed.

 CVE-2022-40684 is an authentication bypass vulnerability affecting the administrative interface. The advisory provides workaround instructions if you are not able to immediately patch which recommend restricting access to the administrative interface. Fortinet provides steps on this in their hardening guide and recommends disabling administrative access to the internet as part of their system administrator best practices. They also provide steps on restricting access to trusted hosts/IP addresses for those that want to retain access to the administrative interface. Both of these suggestions are also covered in the advisory.

A Tenable blog post has been published links to our plugin coverage for this vulnerability. Note that Plugin ID 73522 can be used to identify the version of Fortinet Devices in your network. This plugin does require providing SSH credentials for the device. In addition, Plugin ID 165763 has been released to identify unpatched host.