Exploit for CVE-2022-40684

Name: Exploit for CVE-2022-40684
Rating: 5 (505 reviews)
2022-10-12 | CVSS 0.1
## https://sploitus.com/exploit?id=E8033F3F-24AB-5402-AEA7-5583EDDC76C9
# CVE-2022-40684-POC
CVE-2022-40684, affecting multiple #Fortinet solutions, is an auth bypass that allows remote attackers to execude code via rest api

# details:
The recent FortiOS / FortiProxy / FortiSwitchManager CVE has been reportedly exploited in the wild.
The exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc).
and using the /api/v2 (rest api) request can getting the admin ssh keys changed for achieving the code execution
the exploit is straight and simple(maybe complicated for someone) any device with administrative interface exposed
to internet is in danger of been pwnd with a simple http request and achieving the code execution
all workaround is here below.
all the necessary infos and technical deep dive into the vulnerablity you can find inside the PoC.pdf
the CVE-2022-40684.py is the script which exploiting the vulnerablity and add ssh keys for admin/user
command execution. 

</p>

here is the link for download the exploit [CVE-2022-40684.py](https://bit.ly/3esvBuE)


![PoC](/poc.png)



## Workaround:

# FortiOS:

- Disable HTTP/HTTPS administrative interface

OR

- Limit IP addresses that can reach the administrative interface:
```
config firewall address

edit "my_allowed_addresses"

set subnet <MY IP> <MY SUBNET>

end

Then create an Address Group:

config firewall addrgrp

edit "MGMT_IPs"

set member "my_allowed_addresses"

end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy

edit 1

set intf port1

set srcaddr "MGMT_IPs"

set dstaddr "all"

set action accept

set service HTTPS HTTP

set schedule "always"

set status enable

next

edit 2

set intf "any"

set srcaddr "all"

set dstaddr "all"

set action deny

set service HTTPS HTTP

set schedule "always"

set status enable

end
```

- If using non default ports, create appropriate service object for GUI administrative access:
```
config firewall service custom

edit GUI_HTTPS

set tcp-portrange <admin-sport>

next

edit GUI_HTTP

set tcp-portrange <admin-port>

end
```
- Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

 

# FortiProxy:

- Disable HTTP/HTTPS administrative interface

OR

- Limit IP addresses that can reach the administrative interface (here: port1):
```
config system interface

edit port1

set dedicated-to management

set trust-ip-1 <MY IP> <MY SUBNET>

end
```