Written by Rafael Silva

Fortiguard

Fortiguard

https://ift.tt/4pLZtXn

Summary

An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

 

Exploitation Status:

Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs:

user="Local_Process_Access" 

Please contact customer support for assistance.

 

Workaround:

FortiOS:

Disable HTTP/HTTPS administrative interface

OR

Limit IP addresses that can reach the administrative interface:

config firewall address

edit "my_allowed_addresses"

set subnet <MY IP> <MY SUBNET>

end

Then create an Address Group:

config firewall addrgrp

edit "MGMT_IPs"

set member "my_allowed_addresses"

end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy

edit 1

set intf port1

set srcaddr "MGMT_IPs"

set dstaddr "all"

set action accept

set service HTTPS HTTP

set schedule "always"

set status enable

next

edit 2

set intf "any"

set srcaddr "all"

set dstaddr "all"

set action deny

set service HTTPS HTTP

set schedule "always"

set status enable

end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom

edit GUI_HTTPS

set tcp-portrange <admin-sport>

next

edit GUI_HTTP

set tcp-portrange <admin-port>

end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

Please contact customer support for assistance.

 

FortiProxy:

Disable HTTP/HTTPS administrative interface

OR

Limit IP addresses that can reach the administrative interface (here: port1):

config system interface

edit port1

set dedicated-to management

set trust-ip-1 <MY IP> <MY SUBNET>

end

Please contact customer support for assistance.

 

FortiSwitchManager:

DIsable HTTP/HTTPS administrative interface

Please contact customer support for assistance.

via FortiGuard

October 13, 2022 at 10:41PM