Headline
Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs
By Waqas The flaw is tracked as CVE-2022-40684 in FortiOS, while its exploit is being sold on a popular Russian hacker forum. This is a post from HackRead.com Read the original post: Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs
While performing routine monitoring, Cyble’s Global Sensor Intelligence (GIS) discovered a threat actor is distributing unauthorized access to several Fortinet VPNs on a Russian cybercrime forum.
When they evaluated the access, researchers realized that the attacker was trying to add a new public key to the admin user’s account. Further probe revealed that the targeted organizations used outdated FortiOS software.
This indicated the attacker was managing authentication bypass by exploiting a channel or alternate path flaw tracked as CVE-2022-40684 in FortiOS. This authentication bypass flaw lets an unauthorized/unauthenticated attacker exploits the administrative interface.
Impacted Products and Firmware Versions
According to Cyble’s research published on November 24, 2022, multiple Fortinet versions are affected by this flaw, including FortiOS, FortiProxy, and FortiSwitchManager. The vulnerability allows an attacker to perform operations on the “administrative interface” through specially created HTTPS or HTTP requests, Cyble’s advisory read.
As seen by Hackread.com, another threat actor on the same Russian hacker forum is currently offering the same Fortinet VPN exploit. In a listing published earlier today, the threat actor cited Censys’s search that showed there are over 400,000 exposed devices.
According to Cyble’s researchers, the following are the impacted versions of FortinetOS.
- FortiProxy version 7.2.0
- FortiSwitchManager version 7.2.0
- FortiSwitchManager version 7.0.0
- FortiOS version 7.0.0 through 7.0.6
- FortiOS version 7.2.0 through 7.2.1
- FortiProxy version 7.0.0 through 7.0.6
Vulnerability Details
Research revealed that Fortinet software had been targeted since 17 October 2022. The attacker exploits the controlling mechanism of a function to target impacted versions of Fortinet products.
The function evaluates the affected devices’ access to another functionality called REST API. The attacker adds an SSH key to the admin account when exploiting the flaw to access SSH and invade the impacted system as admin.
To further compromise the system, the threat actor will modify the admin user’s SSH key and log in to the infected system. Then they would add new local users and update networking configurations for rerouting traffic. Next, the attacker downloads the system configuration and initiates packet captures for capturing sensitive system information.
The Dark Web Connection
According to researchers, there are over a hundred thousand internet-exposed FortiGate firewalls that are under the radar of attackers and vulnerable to the flaw. Given the sheer number of exposed products, the vulnerability was categorized as critical.
Researchers suspect that sensitive system data, configuration information, and network details might be shared over the Dark Web. That’s because the attacker can add or update a valid public SSH key to the targeted account on a system and gain full access to that system.
Moreover, the attacker may launch additional attacks against the remaining IT ecosystem of the organization after obtaining information via exploitation of this flaw. They are distributing initial access over the Dark Web, which has been used in several high-profile attacks lately.
- Russia Hackers Abusing BRc4 Red Team Penetration Tool
- 34 Russian Hacking Groups Stole 50 Million User Passwords
- Hackers leak login credentials of vulnerable Fortinet SSL VPNs
- Hackers Selling US Colleges VPN Credentials on Russian Forums
- Data of 21M SuperVPN, and GeckoVPN users leaked on Telegram
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Related news
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on
Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.
Users urged to apply updates to FortiOS SSL-VPN after attackers may have leveraged a recently discovered vulnerability in attacks against government, manufacturing, and critical infrastructure organizations.
Fortinet FortiOS, FortiProxy, and FortiSwitchManager version 7.2.1 suffers from a authentication bypass vulnerability.
Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild. Tracked as CVE-2022-42475 (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests. The company said
The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.
Chinese and Russian cyber-spies actively targeting security vulnerability
This Metasploit module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account and then adds an SSH key to the authorized_keys file of the chosen account, allowing you to login to the system with the chosen account. Successful exploitation results in remote code execution.
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches. "FortiOS exposes a management web portal that allows a user to configure the system," Horizon3.ai researcher James Horseman said. "Additionally, a user can
Fortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild. Tracked as CVE-2022-40684 (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative
Fortinet has privately warned its customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow an attacker to perform unauthorized actions on susceptible devices. Tracked as CVE-2022-40684, the high-severity flaw relates to an authentication bypass vulnerability that could permit an unauthenticated adversary to perform arbitrary operations on
The bug is under active exploitation; Fortinet issued a customer advisory urging customers to apply its update immediately.