This article is more than 1 year old
Fortinet warns of critical flaw in its security appliance OSes, admin panels
Naturally, they're already under attack – so you know what to do next
Security appliance vendor Fortinet has become the subject of a bug report by its own FortiGuard Labs after the discovery of a critical-rated flaw in three of its products.
CVE-2022-40684 is rated 9.6/10 on the Common Vulnerability Scoring System (CVSS), meaning it is considered a critical flaw worthy of immediate attention.
FortiGuard's advisory explains why the flaw scored so highly, revealing it's an authentication bypass present in FortiOS, FortiProxy, and FortiSwitchManager.
FortiOS is the operating system for Fortinet's security appliances, FortiProxy is the company's secure web proxy, and FortiSwitchManager manages Fortinet's Ethernet switches.
- Toyota dev left key to customer info on public GitHub page for five years
- Pro-Putin goons claim responsibility for blowing US airport websites offline
- Intel Alder Lake BIOS code leak may contain vital secrets
The flaw could allow "an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests."
Which means an unknown party could be messing with your security appliances or switches as you read this story. Indeed, Fortinet has warned that it is "aware of an instance where this vulnerability was exploited."
The company's advice is to check your device logs for the presence of an entry that reads
user="Local_Process_Access" as that's an indicator of compromise. If you find that, get on the phone to Fortinet customer service.
Other customers have been urged to disable HTTP/HTTPS access in FortiOS and FortiProxy or restrict the IP addresses that can reach that interface.
FortiSwitchManager customers have only the first option: disabling the HTTP/HTTPS admin interface.
Across all three products, the next step is an upgrade of the following versions of FortiOS, FortiProxy and FortiSwitchManager, as follows:
- Upgrade FortiOS version 7.2.0 through 7.2.1 to version 7.2.2
- Upgrade FortiOS version 7.0.0 through 7.0.6 to version 7.0.7 or above
- Upgrade FortiProxy version 7.2.0 to FortiProxy version 7.2.1 or above
- Upgrade FortiProxy version 7.0.0 through 7.0.6 to FortiProxy version 7.0.7 or above
- Upgrade FortiSwitchManager version 7.2.0 to version 7.2.1 or above
- Upgrade FortiSwitchManager version 7.0.0 to version 7.0.71 or above