FortiOS Security Vulnerability

FortiOS Security Vulnerability

Fortinet has released a critical * level security vulnerability for FortiOS with a CVSS V3.1 Score of 9.3.

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Exploitation Status

Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise:

Multiple log entries with:

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

Presence of the following artifacts in the filesystem:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Connections to suspicious IP addresses from the FortiGate:

188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033

Affected Systems

The following FortiOS versions are affected;

• FortiOS version 7.2.0 - 7.2.2
• FortiOS version 7.0.0 - 7.0.8
• FortiOS version 6.4.0 - 6.4.10
• FortiOS version 6.2.0 - 6.2.11
• FortiOS version 6.0.0 - 6.0.15
• FortiOS version 5.6.0 - 5.6.14
• FortiOS version 5.4.0 - 5.4.13
• FortiOS version 5.2.0 - 5.2.15
• FortiOS version 5.0.0 - 5.0.14
• FortiOS-6K7K version 7.0.0 - 7.0.7
• FortiOS-6K7K version 6.4.0 - 6.4.9
• FortiOS-6K7K version 6.2.0 - 6.2.11
• FortiOS-6K7K version 6.0.0 - 6.0.14

IoC’s

-

Recommended Solution(s)

The following actions are recommended;

• Update to FortiOS version 6.2.11 or above,
• Update to FortiOS version 6.4.9 or above,
• Update to FortiOS version 7.0.6 or above,
• Update to FortiOS version 7.2.1 or above.

or

• FortiOS version 6.0.0 to 6.0.10 : Upgrade IPS engine to version 4.086 or above,
• FortiOS version 6.2.4 to 6.2.10 : Upgrade IPS engine to version 5.259 or above,
• FortiOS version 6.4.0 to 6.4.8 : Upgrade IPS engine to version 6.122 or above,
• FortiOS version 7.0.0 to 7.0.5 : Upgrade IPS engine to version 7.114 or above,
• FortiOS version 7.2.0: Upgrade IPS engine to version 7.215 or above.

Workaround:

• Disable SSL-VPN

CVE / CWE

CVE-2022-42475

Related Website(s)

• https://www.fortiguard.com/psirt/FG-IR-22-398
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42475

* Those with CVSS 3.x score of 7.0-8.9 (out of 10) are considered as “high”, and those with 9.0-10.0 as “critical” vulnerability.