Name:Fortinet Appliance Auth bypass id:a83122f2-fa09-4868-a230-544dbc54bc1c version:3 date:2024-09-30 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information. Data_source:
-Palo Alto Network Threat
search:| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/api/v2/cmdb/system/admin*") Web.http_method IN ("GET", "PUT") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`
how_to_implement:This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto. known_false_positives:GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used. References: -https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/ -https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/ -https://github.com/horizon3ai/CVE-2022-40684 -https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/ -https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis -https://github.com/rapid7/metasploit-framework/pull/17143 drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'CVE-2022-40684 Fortinet Appliance Auth bypass' asset_type:Network confidence:90 cve: - 'CVE-2022-40684' impact:90 message:Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$. mitre_attack_id: - 'T1190' - 'T1133' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'Web.http_user_agent' - 'Web.http_method' - 'Web.url' - 'Web.url_length' - 'Web.src' - 'Web.dest' - 'sourcetype' risk_score:81 security_domain:network
