Published: December 14, 2022
Overview
Fortinet recently disclosed a critical buffer overflow vulnerability in FortiOS SSL-VPN that is deployed on a wide range of Fortinet products. The flaw has been tracked with an identifier CVE-2022-42475 and has got a score of 9.3 out of 10 on the CVSS scale. This vulnerability can be exploited by an attacker that results in Remote Code Execution or Remote Command Execution. The attacker can then take over the device to install programs, view, change or delete data, or create new accounts with full user rights. FortiOS is the proprietary operating system present in Fortinet network devices like Fortinet firewalls. Impacted organizations should prioritize patching.
Background on the Risk
Remote Code Execution: The attacker can use the heap- based buffer overflow bug to execute remote code by specifically crafted requests. The attack can even take full control of the system.
Remote Command Execution: The attacker can craft specific requests which can result in the command execution in Fortinet device because of the heap buffer overflow.
While this vulnerability does not impact Netsurion’s infrastructure or platform, we are providing insights and remediation guidance to our customers, partners, and the industry at large in the spirit of cooperation. All the Fortinet devices in the Netsurion infrastructure have been updated with the fixed FortiOS.
Impact
This vulnerability applies to the following use case:
- Fortinet Secure Socket Layer – Virtual Private Network (SSL-VPN) Vulnerability – CVE-2022-42475
Applicable Versions
This vulnerability has a risk rating of Critical and 9.3 out of 10.0 severity on the CVSS 3.0 severity scale in the National Vulnerability Database (NVD).
- Affected Platforms
- Fortinet devices containing FortiOS with specific versions.
- Affected Operating System (OS)
- FortiOS (Fortinet Operating System)
- Affected OS Versions
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Mitigations / Workarounds
Impacted versions of Fortinet FortiOS should be updated to the above-mentioned FortiOS versions depending on the existing version of the device.
Patches / fixes include:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
A workaround is to disable SSL-VPN in the Fortinet devices.
Netsurion Detection and Response
At this time, our Netsurion Managed Open XDR security experts have determined that no Netsurion infrastructure, products, or modules are now impacted by CVE-2022-42475. The IoCs have been added to the Netsurion Threat Center so that it can be detected by the Netsurion Security Operations Center (SOC).
Our security experts are closely monitoring SSL-VPN vulnerabilities for updates and further exploits by cyber criminals. We will update this advisory with any future details and attack surface protection tips.
Indicators of Compromise (IoCs)
Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Presence of the following artifacts in the Fortinet device filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Connections to suspicious IP addresses from the FortiGate device:
- 188.34.130.40:444
- 103.131.189.143:30080,30081,30443,20443
- 192.36.119.61:8443,444
Detection by Netsurion Vulnerability Management Service
The Vulnerability Management signature database has been updated with CVE-2022-42475 detections. Our Security Operations Center (SOC) will detect and report any related FortiOS SSL-VPN vulnerabilities to our customers and partners who subscribe to Netsurion Vulnerability Management.
Contact your Netsurion Account Manager with any questions.
References: