{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-070.pdf"
    },
    "title": "UPDATE: FortiOS and FortiProxy Critical Vulnerability",
    "serial_number": "2022-070",
    "publish_date": "14-10-2022 09:30:00",
    "description": "On 10th of October, 2022, Fortinet released a security advisory to warn about a critical vulnerability (CVSS v3 score: 9.6), tracked as CVE-2022-40684, impacting the FortiOS, FortiProxy and FortiSwitchManager. The exploitation of this vulnerability allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.<br>Fortinet is aware of at least one instance where this vulnerability was exploited and hence it is recommended to remediate this vulnerability with the utmost urgency.<br>A proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability has been published by the Horizon3.ai security researchers.",
    "url_title": "2022-070",
    "content_markdown": "---\ntitle: 'FortiOS and FortiProxy Critical\u00a0Vulnerability'\nversion: '1.1'\nnumber: '2022-070'\noriginal_date: 'October 10, 2022'\ndate: 'October 14, 2022'\n---\n\n_History:_\n\n* _11/10/2022 --- v1.0 -- Initial publication_\n* _14/10/2022 --- v1.1 -- Updates with the new available Proof-of-concept exploit code_\n  \n# Summary\n\nOn 10th of October, 2022, Fortinet released a security advisory to warn about a critical vulnerability (CVSS v3 score: 9.6), tracked as CVE-2022-40684, impacting the FortiOS, FortiProxy and FortiSwitchManager [1]. The exploitation of this vulnerability allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.\n\nFortinet is aware of at least one instance where this vulnerability was exploited and hence it is recommended to remediate this vulnerability with the utmost urgency.\n\n**_Updates of 14/10/2022_**\n\nA proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability has been published by the Horizon3.ai security researchers [4].\n\n# Technical Details\n\nThe vulnerability is due to an authentication bypass via specially crafted HTTP or HTTPS requests on an alternate path or channel vulnerability (CWE-288) in FortiOS, FortiProxy and FortiSwitchManager. This may allow an unauthenticated attacker to perform operations on the administrative interface [1]. \n\n# Affected Products\n\nThis vulnerability affects the following Fortinet products:\n\n* FortiOS version 7.0.0 through 7.0.6 and from version 7.2.0 through 7.2.1\n* FortiProxy version 7.0.0 through 7.0.6 and version 7.2.0\n* FortiSwitchManager versions 7.0.0 and  7.2.0\n\n# Recommendations\n\nPlease upgrade to:\n\n* FortiOS version 7.0.7 or 7.2.2 or above\n* FortiProxy version 7.0.7 or 7.2.1 or above\n* FortiSwitchManager version 7.2.1 or above\n\n## Exploitation Status\n\nThe PoC of exploitation is ready to be released [2, 3]. \n\nFortinet recommends immediately validating your systems against the following indicator of compromise in the device's logs:\n\n```\nuser=\"Local_Process_Access\" \n```\n\n## Workarounds\n\nIf the devices cannot be updated in a timely matter, there are workarounds that address this vulnerability by disabling HTTP/HTTPS administrative interface OR by limiting the IP addresses that can reach the administrative interface, until the upgrade can be performed. More details can be found in the Fortinet advisory [1].\n\n# References\n\n[1] <https://www.fortiguard.com/psirt/FG-IR-22-377>\n\n[2] <https://www.bleepingcomputer.com/news/security/fortinet-says-critical-auth-bypass-bug-is-exploited-in-attacks/>\n\n[3] <https://twitter.com/Horizon3Attack/status/1579285863108087810?s=20&t=2kQIYMv9xTAl4AVbX-ZI9g>\n\n[4] <https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>11/10/2022 --- v1.0 -- Initial publication</em></li><li><em>14/10/2022 --- v1.1 -- Updates with the new available Proof-of-concept exploit code</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 10th of October, 2022, Fortinet released a security advisory to warn about a critical vulnerability (CVSS v3 score: 9.6), tracked as CVE-2022-40684, impacting the FortiOS, FortiProxy and FortiSwitchManager [1]. The exploitation of this vulnerability allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.</p><p>Fortinet is aware of at least one instance where this vulnerability was exploited and hence it is recommended to remediate this vulnerability with the utmost urgency.</p><p><strong><em>Updates of 14/10/2022</em></strong></p><p>A proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability has been published by the Horizon3.ai security researchers [4].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability is due to an authentication bypass via specially crafted HTTP or HTTPS requests on an alternate path or channel vulnerability (CWE-288) in FortiOS, FortiProxy and FortiSwitchManager. This may allow an unauthenticated attacker to perform operations on the administrative interface [1]. </p><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability affects the following Fortinet products:</p><ul><li>FortiOS version 7.0.0 through 7.0.6 and from version 7.2.0 through 7.2.1</li><li>FortiProxy version 7.0.0 through 7.0.6 and version 7.2.0</li><li>FortiSwitchManager versions 7.0.0 and 7.2.0</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Please upgrade to:</p><ul><li>FortiOS version 7.0.7 or 7.2.2 or above</li><li>FortiProxy version 7.0.7 or 7.2.1 or above</li><li>FortiSwitchManager version 7.2.1 or above</li></ul><h3 id=\"exploitation-status\">Exploitation Status</h3><p>The PoC of exploitation is ready to be released [2, 3]. </p><p>Fortinet recommends immediately validating your systems against the following indicator of compromise in the device's logs:</p><pre><code>user=\"Local_Process_Access\" \n</code></pre><h3 id=\"workarounds\">Workarounds</h3><p>If the devices cannot be updated in a timely matter, there are workarounds that address this vulnerability by disabling HTTP/HTTPS administrative interface OR by limiting the IP addresses that can reach the administrative interface, until the upgrade can be performed. More details can be found in the Fortinet advisory [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-22-377\">https://www.fortiguard.com/psirt/FG-IR-22-377</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/fortinet-says-critical-auth-bypass-bug-is-exploited-in-attacks/\">https://www.bleepingcomputer.com/news/security/fortinet-says-critical-auth-bypass-bug-is-exploited-in-attacks/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/Horizon3Attack/status/1579285863108087810?s=20&t=2kQIYMv9xTAl4AVbX-ZI9g\">https://twitter.com/Horizon3Attack/status/1579285863108087810?s=20&amp;t=2kQIYMv9xTAl4AVbX-ZI9g</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/\">https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}