Nasty vulnerability in Fortinet firewalls, proxies abused in real-world attacks
Fortinet urges customers to apply patch immediately
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Fortinet has patched a high-severity vulnerability in multiple services that allowed threat actors remote access and was being abused in the wild.
In a security advisory published late last week, the company described the flaw as an authentication bypass on the admin interface, allowing unauthenticated individuals to log into FortiGate firewalls, FortiProxy webproxies, and FortiSwitch Manager on-prem management instances.
The flaw is being tracked as CVE-2022-40684.
Urgent matters
“An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet’s announcement reads.
The company also said the patch was released this Thursday and added that it notified some of its customers via email, urging them to disable remote management user interfaces “with the utmost urgency”.
A couple of days after releasing the patch, the company came out with more details, claiming it found evidence of at least one real-life campaign leveraging the flaw:
“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=“Local_Process_Access,” the company said.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
These are the Fortinet products that should be patched immediately:
FBI says hackers hit US local government through Fortinet VPN>Iranian hackers blamed for Fortinet and Microsoft Exchange hacks>These are the best VPNs right now
According toBleepingComputer, at least 140,000 FortiGatefirewallscan be accessed via the internet and are “likely” exposed to attacks, if their admin management interfaces are also exposed, it said. Those that are unable to patch their endpoints right away should block attackers by disabling HTTP/HTTPS admin interfaces or limit the IP addresses that have access via Local in Policy, it was explained.
“If these devices cannot be updated in a timely manner, internet-facing HTTPS Administration should be immediately disabled until the upgrade can be performed,” Fortinet concluded.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
Belkin SoundForm Wired Earbuds with USB-C Connector review: sadly, these live up to their nominal price tag
