親愛的客戶:
此通知為2022/10/10針對CVE-2022-40684
( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684 )
所發布的產品資安事件應變小組通報 (Product Security Incident Response Team Advisory)
PSIRT Advisory FG-IR-22-377 ( https://www.fortiguard.com/psirt/FG-IR-22-377 )
在 FortiOS / FortiProxy / FortiSwitchManager - 管理界面上的身份驗證有可能會被繞過
Summary
在 FortiOS、FortiProxy 和 FortiSwitchManager 中使用備用路徑或通道漏洞 [CWE-288] 的身份驗證繞過可能允許未經身份驗證的攻擊者通過特製的 HTTP 或 HTTPS 請求在管理界面上執行操作。
目前這些漏洞所影響的產品:
FortiOS版本7.2.0到7.2.1
FortiOS版本7.0.0到7.0.6
FortiProxy版本7.2.0
FortiProxy版本7.0.0到7.0.6
FortiSwitchManager版本7.2.0
FortiSwitchManager版本7.0.0
建議受影響的用戶請立即更新至以下版本:
請更新至FortiOS版本7.2.2或以上
請更新至FortiOS版本7.0.7或以上
請更新至FortiProxy版本7.2.1或以上
請更新至FortiProxy版本7.0.7或以上
請更新至FortiSwitchManager版本7.2.1或以上
非受影響的版本或已更新到上述版本,則不需擔心此漏洞,不會造成任何影響。
不方便升級的客戶,相關配套處理方式,請參考FortiGuard網站
PSIRT Advisory FG-IR-22-377
( https://www.fortiguard.com/psirt/FG-IR-22-377 ) 詳細資訊
或洽詢業務窗口協助安排處理
解決方法:
關閉介面上的 http/https 管理權限
限制來源IP在管理介面上
Limit IP addresses that can reach the administrative interface:
config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end
Then create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end
If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end
Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.
Please contact customer support for assistance.
