How to Mitigate Fortinet Vulnerability: Authentication Bypass on Administrative Interface

Issue Summary

FortiGuard ID: FG-IR-22-377
CVE ID: CVE-2022-40684
Severity: Critical / CVSS: 9.6

Specific versions of Fortinet FortiOS (FortiGate Firewall) and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Affected Products

FortiOS version 7.0.0 to 7.0.6

FortiOS version 7.2.0 through 7.2.1

FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0

Earlier versions are NOT impacted if you are on firmware version 6.4.x, you are lucky here, no need to do anything.

Solutions

•	Upgrade to FortiOS 7.0.7 or 7.2.2 or above
•	Upgrade to FortiProxy version 7.0.7 or 7.2.1 or above
•	For 6K/7K Systems, please see Customer Support Bulletin CSB-221006-2 for version details.

Workarounds

*If these devices cannot be updated in a timely manner, internet-facing HTTPS Administration should be immediately disabled until the upgrade can be performed, Disable HTTPS Administration on internet-facing interfaces will be the quickest mitigation method if you are using the affected version.
*Apply a firewall policy to local-in traffic to restrict if disabling HTTPS Administration is not an option for you.

NOTE: “Trusthost” in admin doesn’t avoid this exploit.



1. Limit IP addresses that can reach the administrative.



interface:

config firewall address

edit "allowed_addresses"

set subnet <IP> <SUBNET>

end



2. Then create an Address Group:

config firewall addrgrp

edit "MGMT_IPs"

set member "allowed_addresses"

end



3. Then create the Local in Policy to restrict access only to the predefined group on management interface here port1.



config firewall local-in-policy



edit 1

set intf port1

set srcaddr "MGMT_IPs"

set dstaddr "all"

set action accept

set service HTTPS HTTP

set schedule "always"

set status enable

next



edit 2

set intf "all"

set srcaddr "all"

set dstaddr "all"

set action deny

set service HTTPS HTTP

set schedule "always"

set status enable

end



For Fortiproxy



Limit IP addresses that can reach the administrative interface here is port1.

config system interface

edit port1

set dedicated-to management

set trust-ip-1 <IP> <SUBNET>

end

Useful links

Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies | Rapid7 Blog

Technical Tip: Restrict HTTPS access from certain … – Fortinet Community

Leave a Comment

Your email address will not be published. Required fields are marked *