CISA adds Fortinet bug to exploited vulnerabilities list
The Cybersecurity and Infrastructure Security Agency (CISA) added a recently discovered vulnerability in Fortinet appliances to its catalog of known exploited issues on Tuesday.
CISA said federal civilian agencies have until November 1 to address CVE-2022-40684 — a vulnerability affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager.
On Monday, Fortinet confirmed reports that the vulnerability was being exploited and urged its customers to upgrade their systems as soon as possible.
Both Fortinet and CISA said the vulnerability allows unauthenticated attackers to “perform operations on the administrative interface.”
BleepingComputer and several security researchers, including Tenable senior research engineer Claire Tills, said Fortinet began sending out warnings about the issue to certain customers on Friday after releasing a patch Thursday.
Fortinet told customers that the vulnerability is “critical” and "should be dealt with the utmost urgency.”
#Fortinet is currently advising it's customers on a high severity #vulnerability in
— Gi7w0rm (@Gi7w0rm) October 7, 2022
FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0#CVE: CVE-2022-40684#authbypass #RCE #prepareforimpact@campuscodi @uuallan @GossiTheDog pic.twitter.com/eiVrtsozC0
Tills said the private alerts from Fortinet were designed to potentially give customers a headstart in patching before going public with more information that could be used by malicious actors.
“There was significant speculation surrounding the flaw in the vacuum of official, public details from Fortinet,” Tills said.
Security researchers with Horizon3.ai have already reversed the vulnerability and plan to publish a proof-of-concept later this week.
Zach Hanley, chief attack engineer at Horizon3.ai, told The Record that it's hard to get a good idea of how common the appliances are used but said there are at least 10,000 vulnerable tools exposed to the internet.
"Fortinet devices are some of the most popular appliances used by organizations worldwide, and based on the Shodan results the United States is particularly at risk if their devices remain unpatched,” he said.
“Fortinet has observed in-the-wild exploitation of the issue already in at least one case, and reports this week point to other threat actors starting to abuse it. Vulnerabilities affecting devices on the edge of corporate networks are among the most sought after by threat actors because it leads to breaching the perimeter, and CVE-2022-40684 allows exactly this.”
Another appliance vuln down...
— Horizon3 Attack Team (@Horizon3Attack) October 10, 2022
CVE-2022-40684, affecting multiple #Fortinet solutions, is an auth bypass that allows remote attackers to interact with all management API endpoints.
Blog post and POC coming later this week. Patch now. pic.twitter.com/YS7svIljAw
He noted that past Fortinet vulnerabilities like CVE-2018-13379 have remained some of the top exploited vulnerabilities over the years and “this one will likely be no different." CVE-2018-13379 has been exploited by a wide range of threat actors including ransomware groups and state-backed hackers.
Hanley added that they do not have information on how widely exploited it is other than the case reported by Fortinet. According to Hanley, several MSSP providers have indicated that they think some of their customers may be compromised.
Tills and Vulcan Cyber’s Mike Parkin explained that vulnerabilities in security products can always be problematic, especially when it’s on an edge or gateway device.
In addition to updating the appliances or implementing workarounds that can help mitigate risk, customers should at the very least restrict access to the devices per industry best practices, Parkin said.
“Now that Fortinet has confirmed this flaw has been exploited, and given threat actors’ penchant for targeting older FortiOS vulnerabilities, organizations should urgently apply the patches,” Tills said.
“As more details about the vulnerability come to light, the higher the likelihood that threat actors will adopt the flaw into their attacks.”
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.