{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2022-40684/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FortiOS","FortiProxy","FortiSwitchManager"],"_cs_severities":["critical"],"_cs_tags":["cve-2022-40684","fortinet","authentication-bypass","network-appliance","initial-access"],"_cs_type":"advisory","_cs_vendors":["Fortinet"],"content_html":"\u003cp\u003eCVE-2022-40684 is an authentication bypass vulnerability affecting Fortinet appliances, specifically FortiOS, FortiProxy, and FortiSwitchManager. Successful exploitation allows a remote attacker to bypass authentication and perform unauthorized administrative actions via crafted HTTP requests. Public exploits and Metasploit modules targeting this vulnerability were quickly developed and released after the vulnerability was disclosed in late 2022. The vulnerability stems from an improper access control issue, allowing attackers to interact with the REST API without proper authentication. The primary targets are organizations using unpatched Fortinet appliances, and the impact can range from data theft and denial of service to complete network compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Fortinet appliance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003e/api/v2/cmdb/system/admin\u003c/code\u003e endpoint, bypassing authentication checks.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003ePUT\u003c/code\u003e or \u003ccode\u003ePOST\u003c/code\u003e HTTP methods to modify existing administrator accounts or create new accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker adds an SSH key to an administrator account to gain persistent remote access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created or modified administrator account to log into the Fortinet appliance's web interface or SSH.\u003c/li\u003e\n\u003cli\u003eThe attacker reconfigures firewall rules to allow unauthorized network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the network through the compromised Fortinet appliance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised appliance as a pivot point to access other internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-40684 can lead to complete compromise of the Fortinet appliance and the network it protects. Attackers can gain unauthorized access to sensitive data, disrupt network services, and use the compromised appliance as a foothold for further attacks within the network. This vulnerability has been widely exploited, impacting numerous organizations across various sectors. Unpatched systems are at high risk of being compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest Fortinet patches to address CVE-2022-40684 on all FortiOS, FortiProxy, and FortiSwitchManager appliances immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eFortinet Appliance Auth Bypass Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts targeting the \u003ccode\u003e/api/v2/cmdb/system/admin\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server logging on Fortinet appliances to ensure the Sigma rule can effectively detect malicious activity.\u003c/li\u003e\n\u003cli\u003eReview existing user accounts and SSH keys for any unauthorized additions or modifications.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from Fortinet appliances.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful breach.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-fortinet-auth-bypass/","summary":"Exploitation of CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability, allows unauthorized REST API access to modify system configurations, potentially leading to complete system compromise.","title":"Fortinet Appliance Authentication Bypass Vulnerability (CVE-2022-40684) Exploitation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-fortinet-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2022-40684","version":"https://jsonfeed.org/version/1.1"}