- The Cybersecurity and Infrastructure Security Agency on Tuesday added multiple Fortinet products to its Known Exploited Vulnerabilities Catalog, one day after the company warned an authentication bypass vulnerability was being actively exploited.
- The vulnerabilities, listed as CVE-2022-40684, allow for authentication bypass, which enables an attacker to perform operations on the administrative interface. The vulnerability, which has a CVSS score of 9.6, involved FortiOS, FortiProxy and FortiSwitchManager.
- The company initially disclosed the vulnerability on Oct. 3 and urged customers to immediately perform a software upgrade. Late last week, Fortinet sent an internal email to select customers providing a confidential warning along with mitigation advice.
The authentication bypass vulnerability could allow an attacker to perform operations on the administrative interface using specially crafted HTTP or HTTPs requests, according to Fortinet.
The ability to perform such actions is pretty much a worst case scenario for security teams who rely on the affected devices — including firewalls, web proxies and switch management platforms — to keep attackers out, according to Caitlin Condon, senior manager, software engineering (security research) at Rapid7.
“Fortinet devices frequently sit at the edge of organizations’ networks, which makes them high-value targets,” Condon said via email. “This vulnerability is likely to be exploited quickly and at scale, particularly for organizations that expose their management interfaces to the public internet.”
Condon referenced a prior Fortinet vulnerability, CVE-2018-13379, an information disclosure vulnerability in the company’s SSN VPN web portal, calling it one of the most prolifically exploited vulnerabilities in recent memory.
“Compromised credentials from those attacks were used for years to gain access to devices whose passwords weren’t changed,” Condon said.
The FBI and CISA warned in April 2021 about advanced persistent threat actors targeting Fortinet FortiOS systems.
Fortinet devices are widely used, Condon said, as Rapid7 lab researchers were able to identify more than one million devices running FortiOS. Condon cautioned the total figure doesn’t indicate they are all exposed management interfaces, but indicates the popularity of the product.
Fortinet has confirmed one instance of an organization being exploited, and Zach Hanley, chief attack engineer at Horizon3.ai, said a number of MSSP providers have indicated their customers may have been compromised.
“We are committed to the security of our customers,” Fortinet said in an emailed statement. The company referred to a statement it released Monday with mitigation guidance and additional steps. “We continue to monitor the situation and have been proactively communicating to customers, strongly urging them to immediately follow the guidance provided in connection with the CVE-2022-40684.”