Try in Splunk Security Cloud

Description

CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system.
Add new local users.
Update networking configurations to reroute traffic.
Download the system configuration.
Initiate packet captures to capture other sensitive system information. Reference Horizon3.ai

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2022-10-14
  • Author: Michael Haag, Splunk
  • ID: a83122f2-fa09-4868-a230-544dbc54bc1c

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access
T1133 External Remote Services Persistence, Initial Access
Kill Chain Phase
  • Delivery
  • Installation
NIST
  • DE.CM
CIS20
  • CIS 13
CVE
ID Summary CVSS
CVE-2022-40684 An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. None 


1
2
3
4
5
6



| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/api/v2/cmdb/system/admin*")  Web.http_method IN ("GET", "PUT") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `fortinet_appliance_auth_bypass_filter`

Macros

The SPL above uses the following Macros:

:information_source: fortinet_appliance_auth_bypass_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • Web.http_user_agent
  • Web.http_method
  • Web.url
  • Web.url_length
  • Web.src
  • Web.dest
  • sourcetype

How To Implement

This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.

Known False Positives

GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
81.0 90 90 Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1