Late Thursday, 6 October 2022, Fortinet disclosed a critical remote authentication bypass vulnerability ¡ªCVE-2022-40684¡ª impacting FortiOS and FortiProxy. The vulnerability could allow a remote unauthenticated threat actor to obtain access to the administrative interface and perform operations via specially crafted HTTP or HTTPS requests.?
| Product? | Impacted Versions? | Fixed Versions? |
| FortiOS? | 7.0.0 to 7.0.6?
7.2.0 to 7.2.1? |
7.0.7?
7.2.2? |
| FortiProxy? | 7.0.0 to 7.0.6?
7.2.0? |
7.0.7?
7.2.2? |
?
According to CISA¡¯s Known Exploited Vulnerabilities Catalog, threat actors have historically exploited similar Fortinet vulnerabilities to obtain initial access and move laterally within a victim¡¯s environment. Arctic Wolf assesses threat actors will likely develop a PoC exploit and exploit this vulnerability in the near term based on historical precedence and the privileges obtained via this vulnerability.?
Recommendations for CVE-2022-40684
Recommendation #1: Upgrade FortiOS and FortiProxy?
Arctic Wolf strongly recommends upgrading FortiOS?and FortiProxy to fully remediate CVE-2022-40684. ?
| Product? | Fixed Versions? |
| FortiOS? | 7.0.7?
7.2.2? |
| FortiProxy? | 7.0.7?
7.2.2? |
Note: Arctic Wolf recommends following change management best practices for applying upgrades, including testing changes in a dev environment before deploying to production to avoid any operational impact.?
Recommendation #2: Do Not Expose Admin Interfaces Externally?
Following best practices, the administrative interface should not be exposed externally. Limit IP addresses that can reach the administrative interface using a local-in-policy and implement multi-factor authentication (MFA) to make successful exploitation significantly more difficult.?
For more information on this refer to Customer Support Bulletin CSB-221006-1 and the Fortinet user authentication best practices document here: ?
