{"id":28001,"date":"2022-12-13T01:34:48","date_gmt":"2022-12-13T00:34:48","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=28001"},"modified":"2022-12-13T01:34:48","modified_gmt":"2022-12-13T00:34:48","slug":"fortiguard-labs-reports-critical-vulnerability-cve-2022-42475-in-fortios-is-exploited","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/12\/13\/fortiguard-labs-reports-critical-vulnerability-cve-2022-42475-in-fortios-is-exploited\/","title":{"rendered":"FortiGuard Labs reports: Critical vulnerability CVE-2022-42475 in FortiOS is exploited"},"content":{"rendered":"

\"Sicherheit[German<\/a>]FortiGuard Labs reported a critical vulnerability CVE-2022-42475 in FortiOS on December 12, 2022, which arguably allows remote code execution over SSL VPN. The bad thing is that this vulnerability is already being exploited in the wild. The vendor has since released FortiOS security updates for the affected versions.<\/p>\n

<\/p>\n

\"\"I have been alerted to this issue by two blog readers (thanks for that), which has been documented by FortiGuard Labs in PSIRT Advisory FG-IR-22-398<\/a>. There is a heap-based buffer overflow vulnerability CVE-2022-42475 in FortiOS SSL VPN. Through this vulnerability, unauthenticated attackers could execute arbitrary code or commands via specially crafted requests. The CVE-2022-42475 vulnerability has been assigned a CVE value of 9.3. The following Fortinet products are affected:<\/p>\n

FortiOS Version 7.2.0 to 7.2.2
\nFortiOS version 7.0.0 to 7.0.8
\nFortiOS versions 6.4.0 to 6.4.10
\nFortiOS versions 6.2.0 to 6.2.11
\nFortiOS-6K7K version 7.0.0 to 7.0.7
\nFortiOS-6K7K version 6.4.0 to 6.4.9
\nFortiOS-6K7K version 6.2.0 to 6.2.11
\nFortiOS-6K7K version 6.0.0 to 6.0.14<\/p>\n

Fortinet states that there is already one known case of this vulnerability being exploited in the wild. The vendor recommends immediately scanning systems for the following indicators of compromise:<\/p>\n

Multiple log entries with:<\/p>\n

Logdesc=\"Application crashed\" und msg=\"[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]\"<\/p>\n

Presence of the following artifacts in the file system:<\/p>\n

\/data\/lib\/libips.bak
\n\/data\/lib\/libgif.so
\n\/data\/lib\/libiptcp.so
\n\/data\/lib\/libipudp.so
\n\/data\/lib\/libjepg.so
\n\/var\/.sslvpnconfigbk
\n\/data\/etc\/wxd.conf
\n\/flash<\/p>\n

Connections to suspicious IP addresses from FortiGate:<\/p>\n

188.34.130.40:444
\n103.131.189.143:30080,30081,30443,20443
\n192.36.119.61:8443,444
\n172.247.168.153:8033<\/p><\/blockquote>\n

If there is evidence of infection, the system must be cleaned (FortiOS clean install). Fortinet recommends updating the affected products to the following software version, depending on the installed FotiOS version, to close the vulnerability.<\/p>\n

FortiOS version 7.2.3 or higher
\nFortiOS version 7.0.9 or higher
\nFortiOS version 6.4.11 or higher
\nFortiOS version 6.2.12 or higher
\nFortiOS-6K7K version 7.0.8 or higher
\nFortiOS-6K7K version 6.4.10 or higher
\nFortiOS-6K7K version 6.2.12 or higher
\nFortiOS-6K7K version 6.0.15 or higher<\/p>\n

Security researcher Will Dormann points out in a tweet that CVE-2022-42475 is still marked as \"reserved.\" Some of the FortiOS updates had already been available for a month. For example, FortiOS 6.2.12, released on November 3, 2022, is supposed to close the CVE-2022-42475 vulnerability, according to the list above. however, nothing about a vulnerability has been mentioned in the release notes.<\/a><\/p>\n

<\/p>\n

At the same time, Dormann included a tweet from Joe Roosen, according to which the vulnerability is already being exploited by ransomware groups. It seems that Fortinet is quite late with the warning – so the fastest possible action is called for.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]FortiGuard Labs reported a critical vulnerability CVE-2022-42475 in FortiOS on December 12, 2022, which arguably allows remote code execution over SSL VPN. The bad thing is that this vulnerability is already being exploited in the wild. The vendor has since … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22],"tags":[69],"class_list":["post-28001","post","type-post","status-publish","format-standard","hentry","category-security","category-update","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/28001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=28001"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/28001\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=28001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=28001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=28001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}