Weeks after Fortinet disclosed an authentication bypass flaw, researchers have found cybercriminals selling access to Fortinet VPN on the dark web. The impacted versions of the Fortinet products include FortiOS, FortiProxy, and FortiSwitchManager among others.
The exploitation of CVE-2022-40684 allowed authentication bypass and gave threat actors admin access to several Fortinet products, found researchers at the Cyble Research and Intelligence Labs (CRIL). All of this is made possible using the alternate path CWE-288 in Fortinet FortiOS version 7.2.0 through versions of FortiSwitchManager, according to the CRIL threat assessment report.
Researchers also found a cybercriminal distributing unauthorized Fortinet VPN access on a Russian cybercrime forum. The hacker was trying to place their own public key to the admin user’s account. The exploitation has been observed since October 17 this year. The attacked target was found to be using outdated FortiOS, which facilitated exploiting the older vulnerability CVE-2022-40684, as shown in the figure below:
(Source: Cyble)
Details of the expected exploitation
The hackers used a forwarded header to set the client_ip to 127.0.0.1. It was verified in the trusted access verification check. This allowed access authenticating the hacker as the ‘Report Runner.’ The impacted Fortinet products include FortiOS version 7.2.0. through 7.2.1, FortiOS version 7.0.0 through 7.0.6, FortiProxy version 7.2.0, FortiProxy version 7.0.0 through 7.0.6, FortiSwitchManager version 7.2.0 and FortiSwitchManager version 7.0.0. The CVE-2022-40684 could be exploited in several ways, such as:
- Log in to the system by modifying admin users’ SSH keys
- Giving access to other users
- Updating the network configuration to reroute traffic
- Accessing the system configuration
- Access sensitive system data by initiating packet captures
- Sharing or selling stolen data
Since Fortinet products are available across the globe, this vulnerability poses a risk to the security of several systems across the globe. According to Cyble, there are over 100 thousand FortiGate firewalls. And the Fortinet firewalls have been exposed over the internet. It is argued that initial access could be distributed to cause other attacks, such as ransomware on company systems. The following image shows the areas that are vulnerable to cyberattacks using the flaw in Fortinet firewalls.
(Source: CRIL)
Cybercriminals can increase access to the administrative interface using specially designed HTTP or HTTPS requests. The access to the REST API functionality can be exploited by adding an SSH key to the admin user. They can thus use the breached system as an admin, as explained in a tweet. It says that cybercriminals can gain access to all management API endpoints and exploit an administrative UI. This puts a risk to all the systems in the IT environment.
The previous instances related to this Fortinet vulnerability
This critical vulnerability CVE-2022-40684 was identified earlier this October. Fortinet in its advisory pointed to this vulnerability with a severity score of 9.6 and stated that the U.S. cybersecurity company was aware of its exploitation. Then, configuration files were accessed from devices and a malicious admin account was added named fortigate-tech-support. The indicator of compromise mentioned was user=”Local_Process_Access”.
A workaround mentioned in the advisory was to disable the HTTP/ HTTPS administrative interface or to limit IP addresses reaching the administrative interface and creating an address group, among other steps. Patches were made available such as version 7.2.2, 7.0.7, and 7.2.1.
However, the timely advisory was of no help. Fortinet issued a patch on October 10, and CISA immediately added the bug to its known exploited vulnerabilities catalog. CRIL spotted active exploitation on October 13 and, on November 17, FortiOS VPN access was found being sold on the dark web.
