Threat Intelligence: FortiOS Heap based buffer overflow
Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:
Fortinet have recently patched a critical heap-based buffer overflow vulnerability residing in FortiOS SSL-VPN. The vulnerability may allow threat actors to remotely execute arbitrary code without authentication, via specially crafted requests.
The CVSS (Common Vulnerability Scoring System) Severity Score has been rated as: 9.3
Read more about the CVE detail here: CVE-2022-42475
The affected products are listed below:
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS version 6.0.0 through 6.0.15
- FortiOS version 5.6.0 through 5.6.14
- FortiOS version 5.4.0 through 5.4.13
- FortiOS version 5.2.0 through 5.2.15
- FortiOS version 5.0.0 through 5.0.14
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Fortinet are aware that the vulnerability has been exploited in the wild, and recommend validating your systems against the following IoCs if running a vulnerable version of FortiOS:
Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Connections to suspicious IP addresses from the FortiGate:
- 188.34.130.40:444
- 103.131.189.143:30080,30081,30443,20443
- 192.36.119.61:8443,444
- 172.247.168.153:8033
To mitigate against this vulnerability, Fortinet recommend upgrading to one of the versions of FortiOS listed below. If this is not possible then the recommendation is to disable SSL-VPN.
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- (upcoming) FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- (upcoming) FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.
If you need any support in mitigating any risks this vulnerability may have on your business, please don’t hesitate to get in contact.