Critical Severity Buffer Overflow 0-Day Vulnerability in Fortinet SSL-VPN Under Active Exploitation (CVE-2022- 42475)

Security Advisory Leave a comment

This bulletin was authored by Mark Stueck of the Kudelski Security Threat Detection & Research Team.

Summary

On December 12th, 2022, Fortinet disclosed the existence of a critical heap-based buffer overflow vulnerability (assigned CVE-2022-42475) in sslvpnd (The SSL VPN daemon on Fortinet devices), with a CVSS score of 9.3 affecting FortiOS. According to currently available information, the vulnerability allows an unauthenticated threat actor to execute arbitrary code through custom crafted requests against a target system. Additionally, Fortinet has confirmed that the vulnerability has already been exploited in-the-wild.

As these devices are designed to be exposed directly on the internet, Kudelski Security strongly recommends patching to the latest version of FortiOS as soon as possible to address the vulnerability. Additionally, organizations should validate the integrity of potentially affected systems leveraging the IOCs and instructions provided below.

Affected Systems and/or Applications

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

Solution

Current FortiOS VersionFixed fortiOS Version
FortiOS version 7.2.0 through 7.2.2FortiOS version 7.2.3 or above
FortiOS version 7.0.0 through 7.0.8FortiOS version 7.0.9 or above
FortiOS version 6.4.0 through 6.4.10FortiOS version 6.4.11 or above
FortiOS version 6.2.0 through 6.2.11FortiOS version 6.2.12 or above
FortiOS-6K7K version 7.0.0 through 7.0.7FortiOS-6K7K version 7.0.8 or above
FortiOS-6K7K version 6.4.0 through 6.4.9FortiOS-6K7K version 6.4.10 or above
FortiOS-6K7K version 6.2.0 through 6.2.11FortiOS-6K7K version 6.2.12 or above
FortiOS-6K7K version 6.0.0 through 6.0.14FortiOS-6K7K version 6.0.15 or above

Temporary workarounds and mitigations

Patching as soon as possible is the recommended solution. However, until a patch can be validated, tested, and implemented, consider disabling VPN-SSL functionality on FortiOS devices if it is not essential.

Detection Guidance

FortiGuard Labs released a handful of Indicators of Compromise (IOCs) that can be used to validate suspicious activity or possible exploitation. Please note that some or all of the following IOCs are likely to be static and therefore less effective at identifying suspicious activity as time progresses, due to the active-exploitation status of the vulnerability.

Multiple log entries with:

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

Note: The above log may be indicative of a crash due to attempted or successful exploitation.

Presence of the following artifacts in the filesystem:

  • /data/lib/libips.bak
  • /data/lib/libgif.so
  • /data/lib/libiptcp.so
  • /data/lib/libipudp.so
  • /data/lib/libjepg.so
  • /var/.sslvpnconfigbk
  • /data/etc/wxd.conf
  • /flash

Note: Organizations may be able leverage the `diagnose sys last-modified-files` command to see when certain files and folders (such as “/var”) were last modified.

Connections to suspicious IP addresses from the FortiGate:

  • 188.34.130.40:444
  • 103.131.189.143:30080,30081,30443,20443
  • 192.36.119.61:8443,444
  • 172.247.168.153:8033

Note: the above IP addresses have likely been rotated by the Threat Actors that have been known to abuse this vulnerability. These should be used for historical threat hunting rather than detection.

What the Cyber Fusion Center is doing

The CFC has created a threat hunt campaign (THR0010319) to investigate potentially compromised Fortinet systems using the IOCs above and other techniques for identifying potential unauthorized access and attack progression.

Clients of the Cyber Fusion Center’s Security Device Management service for Fortinet will also be contacted to schedule emergency patching sessions.

Please refer to the customer portal for additional details and information on the hunt.

Updates

The CFC will provide updates on the status of this vulnerability, as well as additional information, details, and exploitation proof-of-concepts as they emerge via this blog post.

Sources

https://www.fortiguard.com/psirt/FG-IR-22-398

https://www.securityweek.com/fortinet-ships-emergency-patch-already-exploited-vpn-flaw

https://www.cisa.gov/uscert/ncas/current-activity/2022/12/12/fortinet-releases-security-updates-fortios

https://bibstech.live/fortinet-confirms-vpn-vulnerability-exploited-in-the-wild/

https://www.lemagit.fr/actualites/252528257/VPN-SSL-nouvelle-vulnerabilite-critique-inedite-chez-Fortinet

Leave a Reply