Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0192.2 Critical vulnerability in FortiGate firewalls and FortiProxy software 11 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS FortiProxy FortiSwitchManager Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-40684 Comment: CVSS (Max): 9.6 CVE-2022-40684 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Fortinet Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Revision History: October 11 2022: Fortinet has released the PSIRT Advisory October 10 2022: Initial Release OVERVIEW Fortinet has reported a critical vulnerability in: FortiOS 7.0.0 to 7.0.6 FortiOS 7.2.0 to 7.2.1 FortiProxy 7.0.0 to 7.0.6 and 7.2.0 FortiSwitchManager 7.2.0, 7.0.0 [1][2] [6]. IMPACT It has been reported that the security flaw which is tracked as CVE-2022-40684 in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests[1][2][6]. MITIGATION Fortinet released security upgrades and advises its customers with the vulnerable versions to perform an immediate upgrade as follows: upgrade to FortiOS version 7.2.2 or above upgrade to FortiOS version 7.0.7 or above upgrade to FortiProxy version 7.2.1 or above upgrade to FortiProxy version 7.0.7 or above upgrade to FortiSwitchManager version 7.2.1 or above [1][2][4][5][6] The company has also advised those who cannot immediately deploy security updates to either limit the IP addresses that can reach the administrative interface using a local-in-policy or disable HTTP/HTTPS administrative interface [3][6]. Please refer to the FortiGuard Labs Fortinet's PSIRT advisory for further information on workaround. REFERENCES [1] CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/ [2] Fortinet issues emergency patch for authentication bypass https://www.itnews.com.au/news/fortinet-issues-emergency-patch-for-authentication-bypass-586236 [3] Fortinet warns admins to patch critical auth bypass bug immediately https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/ [4] Resolved issues https://docs.fortinet.com/document/fortigate/7.0.7/fortios-release-notes/289806/resolved-issues [5] Resolved issues https://docs.fortinet.com/document/fortigate/7.2.2/fortios-release-notes/289806/resolved-issues [6] FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface https://fortiguard.fortinet.com/psirt/FG-IR-22-377 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY0TS78kNZI30y1K9AQjlGw/7BJZ+J4OJBed82ezcYhZX4J2QqBtyhXTW qpK5ShZnzLz//50oQxgyDSRlIkB6vAlS72ZRc5b1XhjAjf9MZ2P09MxafR1aiatu f3QEbwoFXKxYtg4lAGxGwu5LeNoWLwhu7TBZWTeKUHBJQdpIaXDvB8xzm+AX/+Qo noWpnMz/yDWoxyLavW69mxIFO3bUR3mLBXenDzM+m35Ub7JahlZtVRNVCL79D9sn 5X4XTNfgUCYYNhTW3ixVe1q8hMUH3mSTD+R0k8WoHMZzLHSuGQAW0jm2MHumRBR7 NUnf2mHvqcpxN7lqQCDDJgH2eFZ6n1V8+LsU+3afVAYsbV++J+M6YC2Waa0m4caU tJMn+iNkMCTNu0YGw4iGDxVEuuX899jTCDjTGS1A5JjupdHiap9xRCprZtWBbMa+ CERNYG+9yMAUxcgCaBNzsWOnJni5bGbHxoWLaRoaSbh8Ha9lmHB/4e9A4A99El6A 0mPfQka5e4zGlfZknNWe4ZCAgo0EewWvLOcIFN1cqaT+DrW+LESp04YvtPcyaYvc ij1WJzs9J5sJG3c+jNyiiZTGMbne+4KTAFQkCqL5Fmr1jZxmxjogH23gZ5h8aBqY LXKz/e0cGn1LlfaL0fXG956wo6rutLJUI/S1AXlAirvgNxI7IRz9s7+LsALJUuUe WB8KYpVybh4= =uPgI -----END PGP SIGNATURE-----