fuck fortinet

2022-10-07

FG-IR-22-377: Critical Severity FortiOS /FortiProxy- Authentication bypass on administrative interface

FortiGuard ID: FG-IR-22-377
CVE ID: CVE-2022-40684
Severity: Critical / CVSS: 9.6

Issue Summary

Fortinet is providing an advanced notification of a critical severity authentication bypass using an 
alternate path or channel [CWE-88] in specific versions of FortiOS and FortiProxy that may allow an 
unauthenticated attacker to perform operations on the administrative interface via specially crafted 
HTTP or HTTPS requests.

**Due to the ability to exploit this issue remotely Fortinet is strongly recommending all customers 
with the vulnerable versions to perform an immediate upgrade.**

Affected Products
	FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
	FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0 

(earlier versions are not impacted)


Solutions
	Upgrade to FortiOS 7.0.7 or 7.2.2 or above
	Upgrade to FortiProxy version 7.0.7 or 7.2.1 or above
	For 6K/7K Systems, please see Customer Support Bulletin CSB-221006-2 for version details.

Workarounds

If these devices cannot be updated in a timely manner, internet facing HTTPS Administration should be 
immediately disabled until the upgrade can be performed.

A workaround is available to apply a firewall policy to local-in traffic to restrict, please see
Customer Support Bulletin CSB-221006-1