Fortinet FortiOS Heap-based Buffer Overflow in SSL-VPN Vulnerability under Active Exploitation

This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code and Fortinet recommends immediately validating systems against the indicators of compromise

Threat ID:: CC-4225
Threat Severity:: High
Threat Vector:: Exploit
Published:: 13 December 2022 11:14 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code and Fortinet recommends immediately validating systems against the indicators of compromise

Affected platforms

The following platforms are known to be affected:

Fortinet FortiOS

FortiOS version 7.2.0 to 7.2.2
FortiOS version 7.0.0 to 7.0.8
FortiOS version 6.4.0 to 6.4.10
FortiOS version 6.2.0 to 6.2.11
FortiOS-6K7K version 7.0.0 to 7.0.7
FortiOS-6K7K version 6.4.0 to 6.4.9
FortiOS-6K7K version 6.2.0 to 6.2.11
FortiOS-6K7K version 6.0.0 to 6.0.14

Threat details

Introduction

Fortinet has released a security advisory to address CVE-2022-42475, a heap-based buffer overflow vulnerability in FortiOS SSL-VPN with a CVSSv3 score of 9.3. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code or commands via specifically crafted requests.

Exploitation in the wild for CVE-2022-42475

Where organisations have found evidence of compromise they should call 0300 303 5222 or email [email protected] immediately.

Fortinet warns that the vulnerability CVE-2022-42475 is being exploited and recommends immediately validating your systems against the indicators of compromise listed below in this Cyber Alert.

CISA, FBI and CNMF have identified IOCs related to the exploitation of CVE-2022-42475

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-42475 to establish presence on the organization’s firewall device.

Threat updates

Date	Update
8 Sep 2023	CISA, FBI and CNMF have identified IOCs related to the exploitation of CVE-2022-42475 This cyber alert has been updated to reflect this change.

Remediation advice

Affected organisations must:

Review Fortinet's Product Security Incident Response Team (PSIRT) advisory FG-IR-22-398
Apply relevant updates as soon as practicable
Validate your systems against any of the following indicators of compromise in the devices' logs:
- Multiple log entries with:
  
  Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]"
- Presence of the following artefacts in the filesystem:
  
  /data/lib/libips.bak
  /data/lib/libgif.so
  /data/lib/libiptcp.so
  /data/lib/libipudp.so
  /data/lib/libjepg.so
  /var/.sslvpnconfigbk
  /data/etc/wxd.conf
  /flash
- Connections to suspicious IP addresses from the FortiGate:
  
  188.34.130[.]40:444
  103.131.189[.]143:30080,30081,30443,20443
  192.36.119[.]61:8443,444
  172.247.168[.]153:8033

Where organisations have found evidence of compromise, they should call 0300 303 5222 or email [email protected] immediately.

Definitive source of threat updates

https://www.fortiguard.com/psirt/FG-IR-22-398

CVE Vulnerabilities

Status Reserved

CVE-2022-42475

Last edited: 8 September 2023 2:25 pm