Security researchers at Horizon3 reported on 13^th October 2022, that the critical vulnerability, designated CVE-2022-40684, affecting a number of Fortinet products (FortiOS, FortiProxy, and FortiSwitchManager), had been successfully reproduced and exploited. The researchers published a thorough technical study and a functioning proof-of-concept (PoC) exploit code for the vulnerability.

Here is our technical deep dive for the #Fortinet CVE-2022-40684 Auth Bypass. POC within.

This year has been filled with interesting HTTP header abuse!https://t.co/gkg6F7vh2n

— Horizon3 Attack Team (@Horizon3Attack) October 13, 2022

The research claims that the authentication bypass vulnerability enables a remote threat actor to manipulate the administration interface by sending specially crafted hypertext transfer protocol (HTTPS) queries. If the exploitation is successful, full access to the compromised system is granted, allowing for the modification of network settings, the addition of malicious users, and the interception of network data.

The threat actor is required by the following two conditions in order to formulate such requests.

1. Using the Fowarded header an attacker is able to set the client_ip to “127.0.0.1”.
2. The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.

Researchers have already found 12 distinct IP addresses that are weaponizing CVE-2022-40684 as of this writing, the majority of which are based in Germany, the United States, Brazil, China, and France.

Sources

https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/