Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Fortinet warns of critical flaw in its security appliance OSes, admin panels

Naturally, they're already under attack – so you know what to do next

Simon Sharwood Tue 11 Oct 2022  //  10:32 UTC

Security appliance vendor Fortinet has become the subject of a bug report by its own FortiGuard Labs after the discovery of a critical-rated flaw in three of its products.

CVE-2022-40684 is rated 9.6/10 on the Common Vulnerability Scoring System (CVSS), meaning it is considered a critical flaw worthy of immediate attention.

FortiGuard's advisory explains why the flaw scored so highly, revealing it's an authentication bypass present in FortiOS, FortiProxy, and FortiSwitchManager.

FortiOS is the operating system for Fortinet's security appliances, FortiProxy is the company's secure web proxy, and FortiSwitchManager manages Fortinet's Ethernet switches.

The flaw could allow "an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests."

Which means an unknown party could be messing with your security appliances or switches as you read this story. Indeed, Fortinet has warned that it is "aware of an instance where this vulnerability was exploited."

The company's advice is to check your device logs for the presence of an entry that reads user="Local_Process_Access" as that's an indicator of compromise. If you find that, get on the phone to Fortinet customer service.

Other customers have been urged to disable HTTP/HTTPS access in FortiOS and FortiProxy or restrict the IP addresses that can reach that interface.

FortiSwitchManager customers have only the first option: disabling the HTTP/HTTPS admin interface.

Across all three products, the next step is an upgrade of the following versions of FortiOS, FortiProxy and FortiSwitchManager, as follows:

®
Send us news
15 Comments

Two years on, 1 in 4 apps still vulnerable to Log4Shell

Lack of awareness still blamed for patching apathy despite it being among most infamous bugs of all time

A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list

Apparently no one thought to check if this D-Link router 'issue' was actually exploitable

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Ex-school IT admin binned student, staff accounts and trashed phone system

After getting the tintack, IRL BOFH went rogue

How hard is your network really, comms watchdog asks telcos

Ofcom opens consultation on resilience requirements... power backup for mobile networks, anyone?

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Cisco intros AI to find firewall flaws, warns this sort of thing can't be free

Predicts cyber crims will find binary brainboxes harder to battle

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Dump C++ and in Rust you should trust, Five Eyes agencies urge

Memory safety vulnerabilities need to be crushed with better code

2.5M patients infected with data loss in Norton Healthcare ransomware outbreak

AlphV lays claims to the intrusion

Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

Akamai says it reported the flaws to Microsoft. Redmond shrugged

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets