===================================================================== CERT-Renater Note d'Information No. 2022/VULN367 _____________________________________________________________________ DATE : 10/10/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FortiOS versions prior to 7.2.2, 7.0.7, FortiProxy versions prior to 7.2.1, 7.0.7, FortiSwitchManager versions prior to 7.2.1. ===================================================================== https://www.fortiguard.com/psirt/FG-IR-22-377 _____________________________________________________________________ IR Number FG-IR-22-377 Date Oct 10, 2022 Severity Critical CVSSv3 Score 9.6 Impact Execute unauthorized code or commands CVE ID CVE-2022-40684 Affected Products FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 FortiSwitchManager : 7.2.0, 7.0.0 CVRF Download PSIRT Advisories FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface Summary An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Exploitation Status: Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user="Local_Process_Access" Please contact customer support for assistance. Workaround: FortiOS: Disable HTTP/HTTPS administrative interface OR Limit IP addresses that can reach the administrative interface: config firewall address edit "my_allowed_addresses" set subnet end Then create an Address Group: config firewall addrgrp edit "MGMT_IPs" set member "my_allowed_addresses" end Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1): config firewall local-in-policy edit 1 set intf port1 set srcaddr "MGMT_IPs" set dstaddr "all" set action accept set service HTTPS HTTP set schedule "always" set status enable next edit 2 set intf "all" set srcaddr "all" set dstaddr "all" set action deny set service HTTPS HTTP set schedule "always" set status enable end If using non default ports, create appropriate service object for GUI administrative access: config firewall service custom edit GUI_HTTPS set tcp-portrange next edit GUI_HTTP set tcp-portrange end Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below. Please contact customer support for assistance. FortiProxy: Disable HTTP/HTTPS administrative interface OR Limit IP addresses that can reach the administrative interface (here: port1): config system interface edit port1 set dedicated-to management set trust-ip-1 end Please contact customer support for assistance. FortiSwitchManager: DIsable HTTP/HTTPS administrative interface Please contact customer support for assistance. Affected Products FortiOS version 7.2.0 through 7.2.1 FortiOS version 7.0.0 through 7.0.6 FortiProxy version 7.2.0 FortiProxy version 7.0.0 through 7.0.6 FortiSwitchManager version 7.2.0 FortiSwitchManager version 7.0.0 Solutions Please upgrade to FortiOS version 7.2.2 or above Please upgrade to FortiOS version 7.0.7 or above Please upgrade to FortiProxy version 7.2.1 or above Please upgrade to FortiProxy version 7.0.7 or above Please upgrade to FortiSwitchManager version 7.2.1 or above ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================