Fortinet Appliance Auth bypass

Try in Splunk Security Cloud

Description

The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Web
• Last Updated: 2024-05-12
• Author: Michael Haag, Splunk
• ID: a83122f2-fa09-4868-a230-544dbc54bc1c

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

T1133

External Remote Services

Persistence, Initial Access

Kill Chain Phase

• Delivery
• Installation

NIST

• DE.CM

CIS20

• CIS 13

CVE

Search

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/api/v2/cmdb/system/admin*")  Web.http_method IN ("GET", "PUT") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `fortinet_appliance_auth_bypass_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime

fortinet_appliance_auth_bypass_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Web.http_user_agent
• Web.http_method
• Web.url
• Web.url_length
• Web.src
• Web.dest
• sourcetype

How To Implement

This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.

Known False Positives

GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.

Associated Analytic Story

• CVE-2022-40684 Fortinet Appliance Auth bypass

RBA

Risk Score	Impact	Confidence	Message
81.0	90	90	Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/
• https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
• https://github.com/horizon3ai/CVE-2022-40684
• https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
• https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis
• https://github.com/rapid7/metasploit-framework/pull/17143

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2