New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Fortinet Warns Customers to Patch a Critical Authentication Bypass Vulnerability

Fortinet has warned customers to patch an authentication bypass vulnerability, CVE-2022-40684, which can allow a threat actor to logon to unpatched FortiGate firewalls and FortiProxy web proxies. The complete list of Fortinet products vulnerable to attacks includes:

  • FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
  • FortiProxy: From 7.0.0 to 7.0.6 and version 7.2.0

A Shodan search indicates that more than 100,000 FortiGate firewalls are reachable from the internet, but it is unknown if their management interfaces are also exposed. Fortinet has releases FortiOS and FortiProxy versions 7.0.7 and 7.2.2 to patch this vulnerability and have advised all customers to update their devices via both a public bulletin and via email. Additionally, the company provided a workaround for those who cannot immediately patch this vulnerability, advising them to limit the IP addresses that can reach the administrative interface using a local-in-policy.

Analyst Notes

As an organization grows, it typically begins to utilize more and more third-party software within their environment. While this is unavoidable and needed in many cases, it opens the door for a greater amount of vulnerabilities to be exploited. Because of this, it is important for any organization to have two things:
1) A threat intelligence division (whether that be internal or external)
2) A robust vulnerability management/patching schedule
A threat intelligence division helps to identify these vulnerabilities when they are first released before they are heavily exploited in the wild. A robust vulnerability management/patching schedule helps to keep third-party software up to date, ensuring that the software is the most secure that it can be if a vulnerability in an old version does arise. It also allows for a quick turnaround when a new vulnerability is released for the most up to date version. Additionally, as the Fortinet team mentioned, it is best policy to limit the IP addresses that can reach any administrative interfaces using a local-in-policy.