FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes steps to take when FortiGate is affected by an authentication bypass using an alternate path or channel vulnerability [CWE-288]. [IR Number FG-IR-22-377].
Scope
All versions of FortiGate and FortiOS.
Solution
It's recommended to clean the device with the following steps.
1) Perform a clean installation on all compromised FortiOS devices. - Upgrade/Install the FortiGate/FortiProxy to its latest firmware version, 7.0.7 or v7.2.2 or higher, which will contain the fix for this vulnerability. - Download the firmware from the Fortinet Support site and validate the file hash using SHA512. - Format the device's flash and disks to perform a clean install. The procedure to perform a clean install on FortiGate is explained in the following article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Loading-FortiGate-firmware-imageusing-TFTP...
2) IMMEDIATELY remove the 'fortigate-tech-support', 'fortigate-support' admin accounts, or any other admin accounts which were not created by the user and were most likely created by an attacker. After deletion, verify there are no more unauthorized FortiGate admin accounts in the configuration.
3) Fortinet does not recommend using the existing configuration. Restore the configuration from a known good backup or create a clean configuration and validate the content in the configuration file.
4) Change GUI/CLI administrative access to non-default TCP ports (instead of 22, 80, 443).
