CVE-2022-40684 Fortinet Appliance Auth bypass
Description
Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Web
- Last Updated: 2022-10-14
- Author: Michael Haag, Splunk
- ID: 55721831-577e-41be-beef-bdc03c81486a
Narrative
FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)
Detections
| Name | Technique | Type |
|---|---|---|
| Fortinet Appliance Auth bypass | Exploit Public-Facing Application, External Remote Services | TTP |
Reference
- https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/
- https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
- https://github.com/horizon3ai/CVE-2022-40684
- https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis
- https://www.greynoise.io/blog/fortios-authentication-bypass
source | version: 1