""ET WEB_SERVER [Cluster25] FortiOS Auth Bypass Attempt (CVE-2022-40684)""
SID: 2039173
Revision: 3
Class Type: attempted-admin
Metadata: affected_product Web_Server_Applications, affected_product Fortigate, attack_target Web_Server, created_at 2022_10_12, cve CVE_2022_40684, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_10_20
Reference:
-
cve
-
2022-40684
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: any
Destination Network: [$HOME_NET,$HTTP_SERVERS]
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "/api/v2/" Depth: 8
-
Value: "/system/"
-
Value: "Forwarded|3a 20|"
-
Value: "for|3d 22 5b|127|2e|0|2e|0|2e|1|5d 3a|"
-
Value: !"Referer|3a 20|"
Within:
PCRE: "/^Forwarded\x3a\x20[^\r\n]*for=\x22\x5b127.0.0.1\x5d\x3a/Hmi"
Special Options:
-
http_uri
-
http_uri
-
nocase
-
http_header
-
nocase
-
http_header
-
nocase
-
fast_pattern
-
http_header