PSIRT Blogs
Update Regarding CVE-2022-40684
Fortinet recently distributed a PSIRT Advisory regarding CVE-2022-40684 that details urgent mitigation guidance, including upgrades as well as workarounds for customers and recommended next steps. The following update and considerations are part of our efforts to communicate the availability of patches and mitigations to address CVE-2022-40684 and also strongly urge potentially affected customers to immediately update their FortiOS, FortiProxy, and FortiSwitchManager products.
Timely and ongoing communications with our customers is a key component in our efforts to best protect their organization. Customer communications often detail the most up-to-date guidance and recommended next steps.
In this case, we were aware of this vulnerability being abused in a single instance, and we adjusted our usual notification process to provide confidential advanced early warning to the contact information we had for all customers running the impacted firmware versions to enable customers to further strengthen their security posture prior to the public release to the broader audience.
Communication Timeline
The following details background and timeline activities of Fortinet’s communications and processes to date in regards to CVE-2022-40684:
- October 6: Issued email notification to the primary account owners of all potentially affected devices.
- October 6: Issued a Customer Support Bulletin to all customers via https://support.fortinet.com.
- October 6 onwards: Fortinet worked to notify CISA and other agencies to ensure this message has been communicated as broadly as possible in conjunction with our advisory.
- October 10: Quickly following this window of time for customer communications, Fortinet issued a public Advisory (FG-IR-22-377) early morning PT.
- October 10 - Present: We continue to proactively reach out to customers, strongly urging them to immediately follow the guidance provided in connection with CVE-2022-40684, as we continue monitoring the situation.
After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability. Based on this development, Fortinet again recommends customers and partners take urgent and immediate action as described in the public Advisory.
Additional Indicators of Compromise
Fortinet provided customers with an early confidential notification to enable this issue to be remediated before the vulnerability became public. As soon as it did, threat actors began to exploit the issue. As can be seen from one of our honeypot systems (see screenshot below), following the initial confidential notification, threat actors began to scan the internet for devices, exploit the vulnerability to download configuration, and also install malicious administrator accounts.
# show user local
edit "fortigate-tech-support"
set accprofile "super_admin"set vdom "root"
set password ENC [...]
next
Fortinet recommends that customers validate their configuration to ensure that no unauthorized changes have been implemented by a malicious third party, regardless of whether they have upgraded.
As a PSIRT team and forward-looking security vendor, we are constantly seeking ways to engage, inform, and encourage our customers to institute mitigation best practices and to patch their systems.
If a customer should need additional guidance, they are advised to reach out to customer support.
Please contact PSIRT@fortinet.com if you have any other suggestions or feedback.
Fortinet continues to follow its PSIRT processes and best practices to best mitigate the situation.
For details of the Fortinet PSIRT Policy: https://www.fortiguard.com/psirt_policy.
