Security Update: Fortinet vulnerability discovered
Fortinet have announced a new Critical Vulnerability that could lead to data theft, ransomware, denial of service or operational disruption.
Fortinet have announced a new Critical Vulnerability (tracked as CVE-2022-42475) affecting FortiOS SSL-VPN. The security flaw is a heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN, which may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. This could result in data theft, ransomware, denial of service or operational disruption.
Which products are vulnerable?
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
How do I remediate this?
To prevent possible attacks, we recommend you upgrade FortiOS to the versions below:
- Upgrade to FortiOS version 7.2.3 or above
- Upgrade to FortiOS version 7.0.9 or above
- Upgrade to FortiOS version 6.4.11 or above
- Upgrade to FortiOS version 6.2.12 or above
- Upgrade to FortiOS-6K7K version 7.0.8 or above
- Upgrade to FortiOS-6K7K version 6.4.10 or above
- Upgrade to FortiOS-6K7K version 6.2.12 or above
- Upgrade to FortiOS-6K7K version 6.0.15 or above
How do I know whether I’ve been impacted?
- Examine your FortiOS version in use
- Use vulnerability scanning tools to detect whether vulnerability exists
- Use SIEM to detect possible exploitation attempts on the internet perimeter
- Review systems for presence of Indicators of Compromise (IOCs)
What IOCs should I be on the lookout for?
Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise:
1 Multiple log entries with:
-
-
- Logdesc=”Application crashed” and msg=”[…] application:SSL-VPNd,[…], Signal 11 received, Backtrace: […]“
-
2 Presence of the following artifacts in the filesystem:
-
-
- /data/lib/libips.bak
- /data/lib/libgif.so
- /data/lib/libiptcp.so
- /data/lib/libipudp.so
- /data/lib/libjepg.so
- /var/.SSL-VPNconfigbk
- /data/etc/wxd.conf
- /flash
-
3 Connections to suspicious IP addresses from the FortiGate:
-
-
- 34.130.40:444
- 131.189.143:30080,30081,30443,20443
- 36.119.61:8443,444
- 247.168.153:8033
-
Our SOC team is monitoring SIEM tenancies closely to detect any threat activity and known IOCs are being added to watchlists. Additional IOCs issued from Threat Intelligence sources will be added in real time.
We are proactively contacting our managed service customers to advise that we are upgrading where applicable.
For more information, please get in touch.
Further Reading
Question?
Our specialists have the answer