detections/web/fortinet_appliance_auth_bypass.yml

name: Fortinet Appliance Auth bypass
id: a83122f2-fa09-4868-a230-544dbc54bc1c
version: 4
date: '2024-11-15'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects attempts to exploit CVE-2022-40684, a
  Fortinet appliance authentication bypass vulnerability. It identifies REST API requests
  to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that
  may indicate unauthorized modifications, such as adding SSH keys or creating new
  users. This detection leverages the Web datamodel to monitor specific URL patterns
  and HTTP methods. This activity is significant as it can lead to unauthorized access
  and control over the appliance. If confirmed malicious, attackers could gain persistent
  access, reroute network traffic, or capture sensitive information.
data_source:
- Palo Alto Network Threat
search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web
  where Web.url IN ("*/api/v2/cmdb/system/admin*")  Web.http_method IN ("GET", "PUT")
  by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest,
  sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`'
how_to_implement: This detection requires the Web datamodel to be populated from a
  supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk
  for Palo Alto.
known_false_positives: GET requests will be noisy and need to be filtered out or removed
  from the query based on volume. Restrict analytic to known publically facing Fortigates,
  or run analytic as a Hunt until properly tuned. It is also possible the user agent
  may be filtered on Report Runner or Node.js only for the exploit, however, it is
  unknown at this if other user agents may be used.
references:
- https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/
- https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
- https://github.com/horizon3ai/CVE-2022-40684
- https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
- https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis
- https://github.com/rapid7/metasploit-framework/pull/17143
drilldown_searches:
- name: View the detection results for - "$dest$"
  search: '%original_detection_search% | search  dest = "$dest$"'
  earliest_offset: $info_min_time$
  latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`'
  earliest_offset: $info_min_time$
  latest_offset: $info_max_time$
rba:
  message: Potential CVE-2022-40684 against a Fortinet appliance may be occurring
    against $dest$.
  risk_objects:
  - field: dest
    type: system
    score: 81
  threat_objects: []
tags:
  analytic_story:
  - CVE-2022-40684 Fortinet Appliance Auth bypass
  asset_type: Network
  cve:
  - CVE-2022-40684
  mitre_attack_id:
  - T1190
  - T1133
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  security_domain: network
tests:
- name: True Positive Test
  attack_data:
  - data: 
      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log
    source: pan:threat
    sourcetype: pan:threat