<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2022-40684 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2022-40684/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2022-40684/feed.xml" rel="self" type="application/rss+xml"/><item><title>Fortinet Appliance Authentication Bypass Vulnerability (CVE-2022-40684) Exploitation</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-fortinet-auth-bypass/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-fortinet-auth-bypass/</guid><description>Exploitation of CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability, allows unauthorized REST API access to modify system configurations, potentially leading to complete system compromise.</description><content:encoded><![CDATA[<p>CVE-2022-40684 is an authentication bypass vulnerability affecting Fortinet appliances, specifically FortiOS, FortiProxy, and FortiSwitchManager. Successful exploitation allows a remote attacker to bypass authentication and perform unauthorized administrative actions via crafted HTTP requests. Public exploits and Metasploit modules targeting this vulnerability were quickly developed and released after the vulnerability was disclosed in late 2022. The vulnerability stems from an improper access control issue, allowing attackers to interact with the REST API without proper authentication. The primary targets are organizations using unpatched Fortinet appliances, and the impact can range from data theft and denial of service to complete network compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable Fortinet appliance exposed to the internet.</li>
<li>The attacker crafts a malicious HTTP request to the <code>/api/v2/cmdb/system/admin</code> endpoint, bypassing authentication checks.</li>
<li>The attacker uses the <code>PUT</code> or <code>POST</code> HTTP methods to modify existing administrator accounts or create new accounts.</li>
<li>The attacker adds an SSH key to an administrator account to gain persistent remote access.</li>
<li>The attacker uses the newly created or modified administrator account to log into the Fortinet appliance's web interface or SSH.</li>
<li>The attacker reconfigures firewall rules to allow unauthorized network traffic.</li>
<li>The attacker exfiltrates sensitive data from the network through the compromised Fortinet appliance.</li>
<li>The attacker uses the compromised appliance as a pivot point to access other internal systems.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2022-40684 can lead to complete compromise of the Fortinet appliance and the network it protects. Attackers can gain unauthorized access to sensitive data, disrupt network services, and use the compromised appliance as a foothold for further attacks within the network. This vulnerability has been widely exploited, impacting numerous organizations across various sectors. Unpatched systems are at high risk of being compromised.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the latest Fortinet patches to address CVE-2022-40684 on all FortiOS, FortiProxy, and FortiSwitchManager appliances immediately.</li>
<li>Deploy the Sigma rule <code>Fortinet Appliance Auth Bypass Attempt</code> to your SIEM to detect exploitation attempts targeting the <code>/api/v2/cmdb/system/admin</code> endpoint.</li>
<li>Enable web server logging on Fortinet appliances to ensure the Sigma rule can effectively detect malicious activity.</li>
<li>Review existing user accounts and SSH keys for any unauthorized additions or modifications.</li>
<li>Monitor network traffic for suspicious outbound connections originating from Fortinet appliances.</li>
<li>Implement network segmentation to limit the impact of a successful breach.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cve-2022-40684</category><category>fortinet</category><category>authentication-bypass</category><category>network-appliance</category><category>initial-access</category></item></channel></rss>