親愛的客戶:

此通知為2022/10/10針對CVE-2022-40684

( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684 )

所發布的產品資安事件應變小組通報 (Product Security Incident Response Team Advisory)

PSIRT Advisory FG-IR-22-377 ( https://www.fortiguard.com/psirt/FG-IR-22-377 )

在 FortiOS / FortiProxy / FortiSwitchManager - 管理界面上的身份驗證有可能會被繞過

Summary

在 FortiOS、FortiProxy 和 FortiSwitchManager 中使用備用路徑或通道漏洞 [CWE-288] 的身份驗證繞過可能允許未經身份驗證的攻擊者通過特製的 HTTP 或 HTTPS 請求在管理界面上執行操作。

目前這些漏洞所影響的產品：

FortiOS版本7.2.0到7.2.1

FortiOS版本7.0.0到7.0.6

FortiProxy版本7.2.0

FortiProxy版本7.0.0到7.0.6

FortiSwitchManager版本7.2.0

FortiSwitchManager版本7.0.0

建議受影響的用戶請立即更新至以下版本：

請更新至FortiOS版本7.2.2或以上

請更新至FortiOS版本7.0.7或以上

請更新至FortiProxy版本7.2.1或以上

請更新至FortiProxy版本7.0.7或以上

請更新至FortiSwitchManager版本7.2.1或以上

非受影響的版本或已更新到上述版本，則不需擔心此漏洞，不會造成任何影響。

解決方法:

1. 關閉介面上的 http/https 管理權限

2. 限制來源IP在管理介面上

Limit IP addresses that can reach the administrative interface:

config firewall address

edit "my_allowed_addresses"

set subnet <MY IP> <MY SUBNET>

end

Then create an Address Group:

config firewall addrgrp

edit "MGMT_IPs"

set member "my_allowed_addresses"

end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy

edit 1

set intf port1

set srcaddr "MGMT_IPs"

set dstaddr "all"

set action accept

set service HTTPS HTTP

set schedule "always"

set status enable

next

edit 2

set intf "any"

set srcaddr "all"

set dstaddr "all"

set action deny

set service HTTPS HTTP

set schedule "always"

set status enable

end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom

edit GUI_HTTPS

set tcp-portrange <admin-sport>

next

edit GUI_HTTP

set tcp-portrange <admin-port>

end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

Please contact customer support for assistance.