DIVD-2022-00056 - Critical authentication bypass affecting Fortigate products

Our reference DIVD-2022-00056
Case lead Ralph Horn and Victor Pasman
Author Tom Wolters
Researcher(s)
CVE(s)
Product FortiOS, FortiProxy and FortiSwitchManager
Versions FortiOS, 7.0.0 to 7.0.6 and 7.2.0-7.2.1. FortiProxy, 7.0.0 to 7.0.6 and 7.2.0.
Recommendation Upgrade to FortiOS 7.0.7 or 7.2.2 or above, update FortiProxy 7.0.7 or 7.2.1 or above.
Workaround If updating is not possible, disable the internet facing administration functionality.
Status Closed
Last modified 09 Jul 2023 21:39 CEST

Summary

An authentication bypass has been found in FortiOS, FortiProxy and FortiSwitchManager which may allow an unauthenticated attacker to perform administrative operations via HTTP(s) requests.

An attacker might be able to add new local users or upload a new public SSH key, to gain access to the Fortigate server.

There is a public exploit available and the vulnerability is easy to exploit.

What you can do

We advise you to upgrade to FortiOS 7.0.7 or 7.2.2 or above, update FortiProxy 7.0.7 or 7.2.1 or above. If updating is not possible, disable the internet facing administration functionality.

If you were running a Fortigate instance with this version, after updating, please consider investigating if there are new -or unknown- public SSH-keys installed on the server. Even after updating Fortigate, added SSH-keys will remain installed. If possible and relevant for your instance, consider disallowing public access to SSH.

What we are doing

We are actively scanning the internet for Fortigate instances that do not have the mitigations applied and will notify system owners via the listed abuse contacts.

Timeline

Date Description
07 Oct 2022 DIVD starts tracking this vulnerability
08 Oct 2022 DIVD created a fingerprint to find Fortigate instances
10 Oct 2022 FortiGuard Labs published advisory
14 Oct 2022 DIVD starts scanning for vulnerable Fortigate instances
15 Oct 2022 DIVD sends out first rounds of notifications
gantt title DIVD-2022-00056 - Critical authentication bypass affecting Fortigate products dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00056 - Critical authentication bypass affecting Fortigate products (180 days) :2022-10-07, 2023-04-05 section Events DIVD starts tracking this vulnerability : milestone, 2022-10-07, 0d DIVD created a fingerprint to find Fortigate instances : milestone, 2022-10-08, 0d FortiGuard Labs published advisory : milestone, 2022-10-10, 0d DIVD starts scanning for vulnerable Fortigate instances : milestone, 2022-10-14, 0d DIVD sends out first rounds of notifications : milestone, 2022-10-15, 0d

More information