Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.
Fortinet privately informed some customers last week about the availability of patches and workarounds for a critical authentication bypass vulnerability exposing some devices to remote attacks.
The security hole allows an unauthenticated attacker to remotely perform unauthorized operations on an appliance’s admin interface using specially crafted requests. Exploitation is not difficult and it can lead to a full device takeover.
On Monday, the company made public an advisory and confirmed that the zero-day flaw had been exploited in at least one attack.
This suggested that the attack observed by Fortinet was likely the work of a sophisticated — likely state-sponsored — threat actor. However, as more details are coming to light, it’s increasingly likely that CVE-2022-40684 will be widely exploited.
Penetration testing company Horizon3.ai has made public a PoC exploit that allows an attacker to add an SSH key to the admin user, enabling the attacker to access the targeted system with administrator privileges. The firm has also released technical details, and others have created templates for vulnerability scanners.
There have been several reports over the past day indicating that scanning for systems affected by CVE-2022-40684 is underway. Threat intelligence firm GreyNoise has seen exploitation attempts coming from more than 40 unique IPs in the past 24 hours.
WordPress security company Defiant has also seen exploitation attempts, coming from nearly two dozen IPs.
“Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place,” the Wordfence team at Defiant explained. “However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, […] which attempts to update the public SSH key of the admin user.”
“While some requests are using a fake public key, which may indicate a benign vulnerability scanner, all of the requests using a valid public key are using the same public key, indicating that these requests are all the work of the same actor,” the Wordfence team added.
Shortly after the existence of CVE-2022-40684 came to light, SANS Institute reported seeing an increase in scans for an old Fortigate vulnerability and the company believed someone may have been trying to create a list of potential targets for exploitation. SANS has now also reported seeing exploitation attempts targeting CVE-2022-40684.
CVE-2022-40684 affects Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances. Patches and workarounds are available from the vendor, and organizations have been urged to address the flaw as soon as possible. CISA has instructed federal agencies to take action by November 1.
One scan showed more than 17,000 vulnerable Fortinet appliances exposed to attacks, including over 3,000 in the United States.