There are rumors about a vulnerability in Fortinets FortiGate firewalls where you may bypass authentication on their admin interfaces. Affected seem to be FortiOS 7.0.x and FortiOS 7.2.0/1. A fix is included in FortiOS 7.0.7 and FortiOS 7.2.2. It is written the vulnerability has CVE-2022-40684.
It is imperative that you protect your FortiGate interfaces with TrustedHosts AND Local-In-Policies. Only using TrustHosts protects HTTPS, SSH, etc but not other protocols like SIP, IPsec, CAPWAP, BGP, SSLVPN* etc which are also local services running on the FortiGate, which need to be protected, too.
*SSLVPN = Even though SSLVPN might be not configured and therefore seems to be inactive, in some cases for example vulnerability-scanners still trigger the SSLVPN service to log errors in FortiGates log. This only is solved by setting up local-in-polices.
Example for trusthost & local-in-policy:
System > Administrators >
config system admin
edit "admin"
set trusthost1 172.26.73.48 255.255.255.255
set accprofile "super_admin"
set vdom "root"
next
endConfiguring address and address group as per the trusted hosts:
config firewall addressConfiguring Firewall local in policies:
edit "trusted-1"
set type ipmask
set comment ''
set visibility enable
set associated-interface ''
set color 0
set allow-routing disable
set subnet 172.26.73.48 255.255.255.255
next
end
config firewall addrgrp
edit "trusted_grp"
set member "trusted-1"
set comment ''
set visibility enable
set color 0
next
end
config firewall local-in-policy
edit 2
set intf "port1"
set srcaddr "trusted_grp"
set dstaddr "all"
set action accept
set service "PING"
set schedule "always"
set status enable
set comments ''
next
edit 1
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "PING"
set schedule "always"
set status enable
set comments ''
next
end
Remember: This example shows the local-in-policy only for "ping". You want to protect all services (except for example SSLVPN or IPsec if you use them).
