Vulnerability in Fortinet FortiOS SSL-VPN.
This alert is relevant to organizations who deploy Fortinet FortiOS to facilitate remote access for their users. The Alert is intended to be understood by slightly more technical users who maintain systems there is no action for the end users to take.
A heap-based buffer overflow vulnerability (CVE-2022-42475) has been identified in multiple versions of Fortinet FortiOS SSL-VPN.
FortiOS SSL-VPN is widely used by organizations to securely grant users remote access to their network, including allowing users to work from home.
Exploitation of this vulnerability could allow a malicious actor to gain remote code execution rights on the host running FortiOS and perform unauthorized actions. Additionally, the vulnerability can be used to crash the application (denial of service).
Fortinet reports the vulnerability may have been exploited in the wild.
Affected organizations should apply the available patch immediately and investigate for signs of compromise.
Organisations that use FortiOS should read Fortinet Product Security Incident Response Team (PSIRT) Advisory FG-IR-22-398 and take the recommended actions.
- The PSIRT Advisory is available here: https://www.fortiguard.com/psirt/FG-IR-22-398
FortiOS – heap-based buffer overflow in sslvpnd.
Summary
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Exploitation status:
Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise:
Multiple log entries with:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“
Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Connections to suspicious IP addresses from the FortiGate:
188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033
Affected Products
FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14
Solutions
Please upgrade to FortiOS version 7.2.3 or above
Please upgrade to FortiOS version 7.0.9 or above
Please upgrade to FortiOS version 6.4.11 or above
Please upgrade to FortiOS version 6.2.12 or above
Please upgrade to FortiOS-6K7K version 7.0.8 or above
Please upgrade to FortiOS-6K7K version 6.4.10 or above
Please upgrade to FortiOS-6K7K version 6.2.12 or above
Please upgrade to FortiOS-6K7K version 6.0.15 or above