FortiGuard ID: FG-IR-22-377
CVE ID: CVE-2022-40684
Severity: Critical / CVSS: 9.6
Specific versions of Fortinet FortiOS (FortiGate Firewall) and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
FortiOS version 7.0.0 to 7.0.6
FortiOS version 7.2.0 through 7.2.1
FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0
Earlier versions are NOT impacted if you are on firmware version 6.4.x, you are lucky here, no need to do anything.
• Upgrade to FortiOS 7.0.7 or 7.2.2 or above • Upgrade to FortiProxy version 7.0.7 or 7.2.1 or above • For 6K/7K Systems, please see Customer Support Bulletin CSB-221006-2 for version details.
*If these devices cannot be updated in a timely manner, internet-facing HTTPS Administration should be immediately disabled until the upgrade can be performed, Disable HTTPS Administration on internet-facing interfaces will be the quickest mitigation method if you are using the affected version.
*Apply a firewall policy to local-in traffic to restrict if disabling HTTPS Administration is not an option for you.
NOTE: “Trusthost” in admin doesn’t avoid this exploit. 1. Limit IP addresses that can reach the administrative. interface: config firewall address edit "allowed_addresses" set subnet <IP> <SUBNET> end 2. Then create an Address Group: config firewall addrgrp edit "MGMT_IPs" set member "allowed_addresses" end 3. Then create the Local in Policy to restrict access only to the predefined group on management interface here port1. config firewall local-in-policy edit 1 set intf port1 set srcaddr "MGMT_IPs" set dstaddr "all" set action accept set service HTTPS HTTP set schedule "always" set status enable next edit 2 set intf "all" set srcaddr "all" set dstaddr "all" set action deny set service HTTPS HTTP set schedule "always" set status enable end For Fortiproxy Limit IP addresses that can reach the administrative interface here is port1. config system interface edit port1 set dedicated-to management set trust-ip-1 <IP> <SUBNET> end