FG-IR-22-377: Authentication bypass in administrative interface

First published: Mon Oct 10 2022(Updated: 3 years ago)

An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.## Exploitation Status:Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs:user=Local_Process_AccessPlease contact customer support for assistance.## UPDATE:Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices, and to add a malicious super_admin account called 'fortigate-tech-support':<br/># show system admin<br/>edit fortigate-tech-support<br/>set accprofile super_admin<br/>set vdom root<br/>set password ENC [...]<br/>next<br/>Please contact customer support for assistance.## Workaround:## FortiOS:Disable HTTP/HTTPS administrative interfaceORLimit IP addresses that can reach the administrative interface:<br/>config firewall address<br/>edit my_allowed_addresses<br/>set subnet <MY IP> <MY SUBNET><br/>end<br/>Then create an Address Group:<br/>config firewall addrgrp<br/>edit MGMT_IPs<br/>set member my_allowed_addresses<br/>end<br/>Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):<br/>config firewall local-in-policy<br/>edit 1<br/>set intf port1<br/>set srcaddr MGMT_IPs<br/>set dstaddr all<br/><br/>set action accept<br/>set service HTTPS HTTP<br/>set schedule always<br/><br/>set status enable<br/>next<br/><br/>edit 2<br/>set intf any<br/>set srcaddr all<br/>set dstaddr all<br/>set action deny<br/>set service HTTPS HTTP<br/>set schedule always<br/>set status enable<br/>end<br/>If using non default ports, create appropriate service object for GUI administrative access:<br/>config firewall service custom<br/>edit GUI_HTTPS<br/>set tcp-portrange admin-sport<br/>next<br/><br/>edit GUI_HTTP<br/><br/>set tcp-portrange admin-port<br/>end<br/>Use these objects instead of 'HTTPS HTTP' in the local-in policy 1 and 2 below.UPDATE: When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005Please contact customer support for assistance.## FortiProxy:Disable HTTP/HTTPS administrative interfaceORFor FortiProxy VM all versions or FortiProxy appliance 7.0.6:Limit IP addresses that can reach the administrative interface (here: port1):<br/>config system interface<br/>edit port1<br/>set dedicated-to management<br/>set trust-ip-1 &lt;MY IP&gt; &lt;MY SUBNET<br/>end<br/>Please contact customer support for assistance.## FortiSwitchManager:DIsable HTTP/HTTPS administrative interfacePlease contact customer support for assistance.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/last-modified-date
• agent/references
• agent/type
• agent/first-publish-date
• agent/event
• agent/description
• agent/title
• agent/severity
• collector/fortiguard-psirt
• source/FortiGuard
• alias/CVE-2022-40684
• agent/source
• agent/softwarecombine
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/fortinet
• canonical/fortios
• canonical/fortinet fortiproxy ssl vpn webmode
• canonical/fortinet fortiswitchmanager