DIVD-2022-00056 - Critical authentication bypass affecting Fortigate products
|Case lead||Ralph Horn and Victor Pasman|
|Product||FortiOS, FortiProxy and FortiSwitchManager|
|Versions||FortiOS, 7.0.0 to 7.0.6 and 7.2.0-7.2.1. FortiProxy, 7.0.0 to 7.0.6 and 7.2.0.|
|Recommendation||Upgrade to FortiOS 7.0.7 or 7.2.2 or above, update FortiProxy 7.0.7 or 7.2.1 or above.|
|Workaround||If updating is not possible, disable the internet facing administration functionality.|
|Last modified||08 Dec 2022 16:28|
An authentication bypass has been found in FortiOS, FortiProxy and FortiSwitchManager which may allow an unauthenticated attacker to perform administrative operations via HTTP(s) requests.
An attacker might be able to add new local users or upload a new public SSH key, to gain access to the Fortigate server.
There is a public exploit available and the vulnerability is easy to exploit.
What you can do
We advise you to upgrade to FortiOS 7.0.7 or 7.2.2 or above, update FortiProxy 7.0.7 or 7.2.1 or above. If updating is not possible, disable the internet facing administration functionality.
If you were running a Fortigate instance with this version, after updating, please consider investigating if there are new -or unknown- public SSH-keys installed on the server. Even after updating Fortigate, added SSH-keys will remain installed. If possible and relevant for your instance, consider disallowing public access to SSH.
What we are doing
We are actively scanning the internet for Fortigate instances that do not have the mitigations applied and will notify system owners via the listed abuse contacts.
|07 Oct 2022||DIVD starts tracking this vulnerability|
|08 Oct 2022||DIVD created a fingerprint to find Fortigate instances|
|10 Oct 2022||FortiGuard Labs published advisory|
|14 Oct 2022||DIVD starts scanning for vulnerable Fortigate instances|
|15 Oct 2022||DIVD sends out first rounds of notifications|