Authentication bypass in administrative interface Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-22-377 Final 1 1 2022-10-10T00:00:00 Current version 2022-10-10T00:00:00 2022-10-10T00:00:00 An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.Exploitation Status:Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs:user=Local_Process_AccessPlease contact customer support for assistance.UPDATE:Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices, and to add a malicious super_admin account called 'fortigate-tech-support':# show system adminedit fortigate-tech-supportset accprofile super_adminset vdom rootset password ENC [...]nextPlease contact customer support for assistance.Workaround:FortiOS:Disable HTTP/HTTPS administrative interfaceORLimit IP addresses that can reach the administrative interface:config firewall addressedit my_allowed_addressesset subnet <MY IP> <MY SUBNET>endThen create an Address Group:config firewall addrgrpedit MGMT_IPsset member my_allowed_addressesendCreate the Local in Policy to restrict access only to the predefined group on management interface (here: port1):config firewall local-in-policyedit 1set intf port1set srcaddr MGMT_IPsset dstaddr allset action acceptset service HTTPS HTTPset schedule alwaysset status enablenextedit 2set intf anyset srcaddr allset dstaddr allset action denyset service HTTPS HTTPset schedule alwaysset status enableendIf using non default ports, create appropriate service object for GUI administrative access:config firewall service customedit GUI_HTTPSset tcp-portrange admin-sportnextedit GUI_HTTPset tcp-portrange admin-portendUse these objects instead of 'HTTPS HTTP' in the local-in policy 1 and 2 below.UPDATE: When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005Please contact customer support for assistance.FortiProxy:Disable HTTP/HTTPS administrative interfaceORFor FortiProxy VM all versions or FortiProxy appliance 7.0.6:Limit IP addresses that can reach the administrative interface (here: port1):config system interfaceedit port1set dedicated-to managementset trust-ip-1 <MY IP> <MY SUBNET>endPlease contact customer support for assistance.FortiSwitchManager:DIsable HTTP/HTTPS administrative interfacePlease contact customer support for assistance. None Execute unauthorized code or commands FortiOS 7.2.1 FortiOS 7.2.0 FortiOS 7.0.6 FortiOS 7.0.5 FortiOS 7.0.4 FortiOS 7.0.3 FortiOS 7.0.2 FortiOS 7.0.1 FortiOS 7.0.0 FortiProxy 7.2.0 FortiProxy 7.0.6 FortiProxy 7.0.5 FortiProxy 7.0.4 FortiProxy 7.0.3 FortiProxy 7.0.2 FortiProxy 7.0.1 FortiProxy 7.0.0 FortiSwitchManager 7.2.0 FortiSwitchManager 7.0.0 CVE-2022-40684 FortiOS-7.2.1 FortiOS-7.2.0 FortiOS-7.0.6 FortiOS-7.0.5 FortiOS-7.0.4 FortiOS-7.0.3 FortiOS-7.0.2 FortiOS-7.0.1 FortiOS-7.0.0 FortiProxy-7.2.0 FortiProxy-7.0.6 FortiProxy-7.0.5 FortiProxy-7.0.4 FortiProxy-7.0.3 FortiProxy-7.0.2 FortiProxy-7.0.1 FortiProxy-7.0.0 FortiSwitchManager-7.2.0 FortiSwitchManager-7.0.0 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-22-377 Authentication bypass in administrative interface Reference>