A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches.
"FortiOS exposes a management web portal that allows a user to configure the system," Horizon3.ai researcher James Horseman said. "Additionally, a user can SSH into the system which exposes a locked down CLI interface."
The issue, tracked as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests.
A successful exploitation of the shortcoming is tantamount to granting complete access "to do just about anything" on the affected system, including altering network configurations, adding malicious users, and intercept network traffic.
However, the cybersecurity firm said there are two essential requirements for making such a request -
- An attacker can set the client_ip to "127.0.0.1" by using the Forwarded header.
- An attacker has control over the client's IP as well as the User-Agent as "Report Runner" through the "trusted access" authentication check.
The release of the PoC comes as Fortinet cautioned that it's already aware of an instance of active exploitation of the flaw in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory urging federal agencies to patch the flaw by November 1, 2022.
Threat intelligence firm GreyNoise has identified 12 unique IP addresses targeting CVE-2022-40684 as of October 13, 2022, with a majority located in Germany, followed by Brazzil, the U.S., and China and France.