[German]FortiGuard Labs reported a critical vulnerability CVE-2022-42475 in FortiOS on December 12, 2022, which arguably allows remote code execution over SSL VPN. The bad thing is that this vulnerability is already being exploited in the wild. The vendor has since released FortiOS security updates for the affected versions.
Advertising
I have been alerted to this issue by two blog readers (thanks for that), which has been documented by FortiGuard Labs in PSIRT Advisory FG-IR-22-398. There is a heap-based buffer overflow vulnerability CVE-2022-42475 in FortiOS SSL VPN. Through this vulnerability, unauthenticated attackers could execute arbitrary code or commands via specially crafted requests. The CVE-2022-42475 vulnerability has been assigned a CVE value of 9.3. The following Fortinet products are affected:
FortiOS Version 7.2.0 to 7.2.2
FortiOS version 7.0.0 to 7.0.8
FortiOS versions 6.4.0 to 6.4.10
FortiOS versions 6.2.0 to 6.2.11
FortiOS-6K7K version 7.0.0 to 7.0.7
FortiOS-6K7K version 6.4.0 to 6.4.9
FortiOS-6K7K version 6.2.0 to 6.2.11
FortiOS-6K7K version 6.0.0 to 6.0.14
Fortinet states that there is already one known case of this vulnerability being exploited in the wild. The vendor recommends immediately scanning systems for the following indicators of compromise:
Multiple log entries with:
Logdesc="Application crashed" und msg="[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]"
Presence of the following artifacts in the file system:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flashConnections to suspicious IP addresses from FortiGate:
188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033
If there is evidence of infection, the system must be cleaned (FortiOS clean install). Fortinet recommends updating the affected products to the following software version, depending on the installed FotiOS version, to close the vulnerability.
FortiOS version 7.2.3 or higher
FortiOS version 7.0.9 or higher
FortiOS version 6.4.11 or higher
FortiOS version 6.2.12 or higher
FortiOS-6K7K version 7.0.8 or higher
FortiOS-6K7K version 6.4.10 or higher
FortiOS-6K7K version 6.2.12 or higher
FortiOS-6K7K version 6.0.15 or higher
Advertising
Security researcher Will Dormann points out in a tweet that CVE-2022-42475 is still marked as "reserved." Some of the FortiOS updates had already been available for a month. For example, FortiOS 6.2.12, released on November 3, 2022, is supposed to close the CVE-2022-42475 vulnerability, according to the list above. however, nothing about a vulnerability has been mentioned in the release notes.
At the same time, Dormann included a tweet from Joe Roosen, according to which the vulnerability is already being exploited by ransomware groups. It seems that Fortinet is quite late with the warning – so the fastest possible action is called for.
