About CVEs, fathership and the recently discovered FortiOS Authentication Bypass vulnerability

The word is out. I am a FortiDaddy! And I am proud of it. No, not the type of daddy which is named after the white sweet substance, but more like a real caring father. Someone who was given the chance to raise, in this case, a FortiGate and prepare it to withstand the dangers of the world. Okay, chances are high I just had a glass too much. But, you have to admit that “FortiDaddy” doesn’t sound that bad. Maybe I should apply for a job in marketing… or not. Anyway, most of the time, my FortiGates are doing pretty fine – thanks for asking. But recently, my parental hart really skipped a beat: apparently my little ones were diagnosed with a vulnerability.

Yes indeed, I’m talking about the recently discovered authentication bypass found on FortiGate, FortiProxy and the FortiSwitch Manager.


Because this was quite some big news during the past weeks, it made me think about vulnerabilities in general.  Have you ever wondered how these things get discovered? And what happens next?

Of course, it all starts by revealing one. And this happens at a staggering rate. Only this year, cvedetails.com is already reporting 19819 vulnerabilities. In 2021, we reached 20171. With still two months to go and an approximate reporting rate of 69 vulnerabilities a day, we will definitely go over that number in 2022. Unfortunately, as being the discoverer, unless you are hired as a white hat hacker or participate in a bug bounty program, you will not get a huge prize. But, you do get the possibility to find a very cool or scary name which will definitely provide eternal fame and gratification. Think about Heartbleed or Meltdown and Spectre. Way easier to remember, plus it does a great job in creating catchy news headlines. The official name though is given by Mitre and always formulated in the form of a Common Vulnerabilities and Exposures (CVE) ID.

As soon as someone discovers a vulnerability, it is very much appreciated to report it following the principle of Coordinated Vulnerability Disclosure (CVD). Basically, this drills down to first informing the responsible parties, which are often the publishers or vendors involved. Next step is to allow them some reasonable time to fix the issue. Once a patch is ready, the vendor will publicly disclose the vulnerability. If no initiative to fix the issue is coming from the publisher, it is acceptable that the finder him/herself discloses the flaw while notifying the parties involved.

As soon as an organization is made aware of a security flaw in their product, they should register this via the Mitre CVE platform. Then, one of the CVE Numbering Authorities (CVAs) will assess the severity of the vulnerability by using the NVD calculator. These organizations are authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. Most cybersecurity vendors are registered as a CVA, and so is Fortinet.

Vulnerabilities are given a severity rating based on two factors: how easy the weakness is to exploit and the impact exploiting it can have on the program, device or data. These so called CVSS scores range from None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9) to Critical (9.0-10.0). Subsequently, a CVE identifier following the format CVE-[year]-[ID] is assigned.

Now, the real work is about to begin. Customers and end users can start evaluating the vulnerability once it has been made public. Therefore, it is always important to subscribe to the security update newsletters of the products that you introduce in your network. Based on the risk score, you can decide to patch or to take any other remediation actions recommended by the publisher. A good vulnerability management tool that can keep record of your systems and check their current state will prove its value.

The announcements will usually also include the Indicators of Compromise. These can give you an idea of whether you have already been the victim of exploitation of the vulnerability. Unfortunately, if that’s the case, you certainly have more to worry then just installing the latest patch.

More often than not and usually within a few days or weeks after publication, a PoC (Proof of Concept) will follow. This is a piece of code which gives anyone the possibility to misuse the vulnerability themselves. This misuse of a vulnerability is often referred to as “exploitation” and the tool used to exploit a vulnerability is called an exploit. Once such an exploit is available in the wild, you may be certain that there will be a steep rise in the attempts to exploit the vulnerability. In that case, tools like an IPS (Intrusion Prevention System) are specifically targeted at helping you guard your network against those exploits. Funny enough, a FortiGate, which has an IPS engine to protect you from vulnerabilities, has now fell victim for one itself.

But even if there is no exploit available yet, even if there is no vulnerability disclosed yet, you may still get breached. In that case, you can fall victim to a zero-day attack, which is indicating that the attacker, at the time of the breach, was the only one knowing about the existence of the security flaw. For these type of attacks, your best bet is the combination of an EDR with an NDR solution. But even then, you will always have to keep in mind that no solution will ever be able to safeguard your environments for 100%.


And what about my FortiBabies? Well, essentially the same procedure was executed when Fortinet announced the discovery of their authentication bypass vulnerability on the 6th of October 2022. Vulnerability CVE-2022-40684 was assigned a CVSS score of 9.6, which equals to the critical status (read: very bad and should be patched immediately). You can find the PSIRT (Product Security Incident Repose Team) advisory, which includes the details about the vulnerability, at https://www.fortiguard.com/psirt/FG-IR-22-377.

Most important thing to note is that the vulnerability is only present on the admin HTTP and HTTPS interface, not on other login screens like SSL-VPN, identity based firewall policies or captive portal. So, if you do not have HTTP or HTTPS open on your WAN interfaces, you may wipe of the sweat off your forehead because your attack surface will be limited to your internal network only. If you do happen to belong to the category of people who enable administrative access on WAN, please drop everything and start patching.

The following product versions are affected:

      • FortiOS (FortiGate): 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
      • FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0
      • FortiSwitchManager : 7.2.0, 7.0.0

A Shodan search reveals that more than 140 000 FortiGate firewalls can be reached over the Internet. Subsequently, chances are very high that if they have their management interfaces exposed, they are a valuable target for attackers. The solution to this critical security flaw is to upgrade your system. More precisely, to the latest FortiOS 7.0.7 or 7.2.2 releases, which were released specifically to tackle this vulnerability. A technical deep dive about what Fortinet actually changed in the system’s code, is covered in this article by the amazing team of HORIZON3.ai. “An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures.” concludes their post. These were also the guys who had the scoop to publish the first PoC code for the vulnerability. If you want to play with it yourself, it is included in the very same article.

If patching is not an option right away, you can either temporarily disable administrative access on you WAN, or you can create a local-in policy which basically allows only a trusted hosts address group to access the management interface. More information can be found in the PSIRT article.

After the publication of Fortinet’s security advisory, a lot of attackers jumped on the flaw. GreyNoise, a threat intelligence firm which focuses on the reporting of exploitation attempts, is closely monitoring the CVE. On 13 October, they detected 12 unique source IPs exploiting the bug with attacker IPs coming from Germany, the US, Brazil, China and France. Of course, since the PoC code has been released, this number is increasing every day. At the same time, Fortinet is also aware that the vulnerability is being exploited in the wild. They have spotted an occurrence where they have downloaded the config file from the targeted devices and added a malicious super_admin account called “fortigate-tech-support”.  Because of its active exploitation status, it might be beneficial to check if you fell victim of the exploitation of the code yourself. Have a look at the IoCs which are included in the PSIRT post or consult this article from the security researchers of HORIZON3.ai.

And now: less talking and more patching! Cheers!