This bulletin was authored by Mark Stueck of the Kudelski Security Threat Detection & Research Team.
On December 12th, 2022, Fortinet disclosed the existence of a critical heap-based buffer overflow vulnerability (assigned CVE-2022-42475) in sslvpnd (The SSL VPN daemon on Fortinet devices), with a CVSS score of 9.3 affecting FortiOS. According to currently available information, the vulnerability allows an unauthenticated threat actor to execute arbitrary code through custom crafted requests against a target system. Additionally, Fortinet has confirmed that the vulnerability has already been exploited in-the-wild.
As these devices are designed to be exposed directly on the internet, Kudelski Security strongly recommends patching to the latest version of FortiOS as soon as possible to address the vulnerability. Additionally, organizations should validate the integrity of potentially affected systems leveraging the IOCs and instructions provided below.
Affected Systems and/or Applications
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
|Current FortiOS Version||Fixed fortiOS Version|
|FortiOS version 7.2.0 through 7.2.2||FortiOS version 7.2.3 or above|
|FortiOS version 7.0.0 through 7.0.8||FortiOS version 7.0.9 or above|
|FortiOS version 6.4.0 through 6.4.10||FortiOS version 6.4.11 or above|
|FortiOS version 6.2.0 through 6.2.11||FortiOS version 6.2.12 or above|
|FortiOS-6K7K version 7.0.0 through 7.0.7||FortiOS-6K7K version 7.0.8 or above|
|FortiOS-6K7K version 6.4.0 through 6.4.9||FortiOS-6K7K version 6.4.10 or above|
|FortiOS-6K7K version 6.2.0 through 6.2.11||FortiOS-6K7K version 6.2.12 or above|
|FortiOS-6K7K version 6.0.0 through 6.0.14||FortiOS-6K7K version 6.0.15 or above|
Temporary workarounds and mitigations
Patching as soon as possible is the recommended solution. However, until a patch can be validated, tested, and implemented, consider disabling VPN-SSL functionality on FortiOS devices if it is not essential.
FortiGuard Labs released a handful of Indicators of Compromise (IOCs) that can be used to validate suspicious activity or possible exploitation. Please note that some or all of the following IOCs are likely to be static and therefore less effective at identifying suspicious activity as time progresses, due to the active-exploitation status of the vulnerability.
Multiple log entries with:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“
Note: The above log may be indicative of a crash due to attempted or successful exploitation.
Presence of the following artifacts in the filesystem:
Note: Organizations may be able leverage the `diagnose sys last-modified-files` command to see when certain files and folders (such as “/var”) were last modified.
Connections to suspicious IP addresses from the FortiGate:
Note: the above IP addresses have likely been rotated by the Threat Actors that have been known to abuse this vulnerability. These should be used for historical threat hunting rather than detection.
What the Cyber Fusion Center is doing
The CFC has created a threat hunt campaign (THR0010319) to investigate potentially compromised Fortinet systems using the IOCs above and other techniques for identifying potential unauthorized access and attack progression.
Clients of the Cyber Fusion Center’s Security Device Management service for Fortinet will also be contacted to schedule emergency patching sessions.
Please refer to the customer portal for additional details and information on the hunt.
The CFC will provide updates on the status of this vulnerability, as well as additional information, details, and exploitation proof-of-concepts as they emerge via this blog post.