Fortinet warns of a critical vulnerability in its security software • The Register

Security applications provider Fortinet has become the subject of a bug report by its own FortiGuard Labs after a critical flaw was discovered in three of its products.

CVE-2022-40684 has a 9.6/10 rating on the Common Vulnerability Scoring System (CVSS), meaning it is considered a critical bug that deserves immediate attention.

FortiGuard’s advisory explains why the bug was rated so highly, revealing that it’s an authentication bypass present in FortiOS, FortiProxy, and FortiSwitchManager.

FortiOS is the operating system for Fortinet’s security appliances, FortiProxy is the company’s secure web proxy, and FortiSwitchManager manages Fortinet’s Ethernet switches.

The bug could “allow an unauthenticated attacker to perform operations on the management interface via specially crafted HTTP or HTTPS requests.”

That means an unknown party could be tampering with your security devices or switches while you’re reading this story. In fact, Fortinet has warned that it is “aware of a case where this vulnerability has been exploited”.

The company’s advice is to check your device logs for the presence of an entry that reads user="Local_Process_Access" because that is an indicator of compromise. If you find this, call Fortinet Customer Service.

Other customers have been asked to disable HTTP/HTTPS access in FortiOS and FortiProxy or limit the IP addresses that can reach this interface.

FortiSwitchManager customers only have the first option: disable the HTTP/HTTPS management interface.

For all three products, the next step is to upgrade the following versions of FortiOS, FortiProxy and FortiSwitchManager as follows:

  • Update FortiOS version 7.2.0 through 7.2.1 to version 7.2.2
  • Update FortiOS version 7.0.0 through 7.0.6 to version 7.0.7 or later
  • Upgrade FortiProxy version 7.2.0 to FortiProxy version 7.2.1 or later
  • Upgrade FortiProxy version 7.0.0 through 7.0.6 to FortiProxy version 7.0.7 or later
  • Upgrade FortiSwitchManager version 7.2.0 to version 7.2.1 or later
  • Upgrade FortiSwitchManager version 7.0.0 to version 7.0.71 or later

®

https://www.theregister.com/2022/10/11/fortinet_critical_flaw/ Fortinet warns of a critical vulnerability in its security software • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button