CVE-2022-40684 is a critical vulnerability that allows authentication over HTTP/HTTPS to be bypassed.
Situation
By sending a specially crafted HTTP or HTTPS request to a vulnerable target, a remote attacker can bypass authentication and gain access to the management interface to perform administrative activities.
Affected OS
FortiOS 7.0.x
FortiOS 7.2.0-7.2.1
FortiProxy 7.0.x
FortiProxy 7.2.0
Fixed OS
FortiOS 7.0.7
FortiOS 7.2.2
FortiProxy 7.0.7
FortiProxy 7.2.1
Solution
Upgrade to the fixed OS versions.
Workaround
If you cannot apply patches immediately, a workaround is to configure a local-in policy to restrict access to the management interface. Or, disable HTTP/HTTPS access to the interface.
Instruction for local-in-policy
#Define firewall address(es) with the required subnets and IP addresses
config firewall address
edit „my_allowed_addresses“
set subnet
next
end
#Create a firewall group with this/these address(es)
config firewall addrgrp
edit „MGMT_IPs“
set member „my_allowed_addresses“
next
end
#Apply the group to a local-in-policy to restrict access only to the predefined group on the management interface (here port1)
config firewall local-in-policy
edit 0
set intf „“
set srcaddr „MGMT_IPs“
set dstaddr „all“
set action accept
set service HTTPS HTTP
set schedule „always“
set status enable
set comments „Allow public HTTPS Admin Access to the sources“
next
edit 0
set intf „“
set srcaddr „all“
set dstaddr „all“
set action deny
set service HTTPS HTTP
set schedule „always”
set status enable
set comments „Deny public HTTPS Admin Access to the sources“
next
end
For further information and guidance, click here to read the PSIRT Advisory with details and mitigations. Additional indicators of compromise can be found here.
