FortiOS, FortiProxy, and FortiProxySwitchManager Authentication Bypass, CVE-2022-40684

FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass IOCs (CVE-2022-40684)

James Horseman  |  October 11, 2022  |  Attack Blogs

Introduction

The recent FortiOS / FortiProxy / FortiSwitchManager CVE has been reportedly exploited in the wild. We would like to provide additional insight into the vulnerability so users can begin to determine if they have been compromised. In this post we discuss enabling logging and IOCs for FortiOS 7.2.1. These steps will likely work on other vulnerable products, however we do not have other products configured in our lab for testing. See the details of our technical deep dive here.

Logging

If not already configured, REST API logging can be set through the Fortinet CLI with the following commands:

fortios_7_2_1 # config log setting
fortios_7_2_1 (setting) # set rest-api-set enable
fortios_7_2_1 (setting) # set rest-api-get enable
fortios_7_2_1 (setting) # end
fortios_7_2_1 # 

IOCs

In addition to the recommendations by Fortinet to check the device’s log for user=”Local_Process_Access”, any affected system should also be checked for logs with user_interface=”Node.js” or user_interface=”Report Runner”. See the screenshots below for examples of the exploit running on our lab systems.

node js log
node js log
report runner log
report runner log

The exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). Additionally, the REST API request failing is not an indication that an attacker was unsuccessful. In our lab environment, we were able to modify the admin users’ SSH keys though a REST API request that reportedly failed. We would also like to note that a system configured for production use may produce logs that match these IOCs naturally. However, we would not expect these IOCs to match with URLs targeting sensitive REST API endpoints.

Attacker Mindset

The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system:

  • Modify the admin users’ SSH keys to enable the attacker to login to the compromised system.
  • Add new local users.
  • Update networking configurations to reroute traffic.
  • Download the system configuration.
  • Initiate packet captures to capture other sensitive system information.
How can NodeZero help you?
Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.
Get a Demo
Share: