Log in to view details about your AARNet services, including usage reports
Log in to send files of any size, quickly and securely
Browse answers to frequently asked questions about our products and services
Check the current performance status for our services
Fast local access to popular international open-source content
Check to see if a web address is on-net
Fortinet have identified a critical authentication bypass vulnerability on the administrative interface in their products running FortiOS, FortiProxy and FortiSwitch Manager allowing for an attacker to perform unauthorised operations or execution of commands.
CVE-2022-40684 allows for unauthorised execution of commands in Fortinet producs running FortiOS (FortiGate firewalls), FortiProxy (web proxies) and FortiSwitch Manager.
Affected versions include:
An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. The exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). Additionally, the REST API request failing is not an indication that an attacker was unsuccessful.
There are working POCs in the wild for this vulnerability.
The vulnerability has been patched in the following versions of the affected products:
If REST API for the affected device is enabled, it is recommended to check device logs for:
Note: a system configured for production use may produce logs that match these IOCs naturally. However, we would not expect these IOCs to match with URLs targeting sensitive REST API endpoints.
Disable HTTP/HTTPS administrative interface
Limit IP addresses that can reach the administrative interface:
config firewall address edit "my_allowed_addresses" set subnet <MY IP> <MY SUBNET> end Then create an Address Group: config firewall addrgrp edit "MGMT_IPs" set member "my_allowed_addresses" end |
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy edit 1 set intf port1 set srcaddr "MGMT_IPs" set dstaddr "all" set action accept set service HTTPS HTTP set schedule "always" set status enable next edit 2 set intf "any" set srcaddr "all" set dstaddr "all" set action deny set service HTTPS HTTP set schedule "always" set status enable end |
https://github.com/horizon3ai/CVE-2022-40684