Critical Unauthenticated Remote Code Execution Vulnerability in FortiOS

This security advisory notice addresses the critical unauthenticated remote code execution vulnerability in FortisOS: CVE-2022-42475. Read on to learn about this vulnerability, the impact, and the mitigation and patching recommendations.

Security Advisory Notice

Critical Unauthenticated Remote Code Execution Vulnerability in FortiOS: CVE-2022-42475

Affected Software / System

This advisory specifically applies to the following Fortinet products:

• FortiOS version 7.2.0 through 7.2.2
• FortiOS version 7.0.0 through 7.0.8
• FortiOS version 6.4.0 through 6.4.10
• FortiOS version 6.2.0 through 6.2.11
• FortiOS version 6.0.0 through 6.0.15
• FortiOS version 5.6.0 through 5.6.14
• FortiOS version 5.4.0 through 5.4.13
• FortiOS version 5.2.0 through 5.2.15
• FortiOS version 5.0.0 through 5.0.14
• FortiOS-6K7K version 7.0.0 through 7.0.7
• FortiOS-6K7K version 6.4.0 through 6.4.9
• FortiOS-6K7K version 6.2.0 through 6.2.11
• FortiOS-6K7K version 6.0.0 through 6.0.14

CVE (if applicable)

• CVE-2022-42475 (heap-based buffer overflow vulnerability in sslvpnd)
  

Type

Heap-based buffer overflow vulnerability in sslvpnd which can allow unauthenticated remote code execution using specially crafted requests.

Exploit Status: 

FortiGuard Labs has confirmed at least one instance of exploitation “in the wild”. This suggests that further weaponization and exploitation is active and imminent.

Rating

CVE-2022-42475

• CVSSv3 score of 9.3 by Fortinet, Inc.
• Severity: Critical
  

Vulnerability Summary

On December 09, 2022, Olympe CyberDefense, a France-based cyber threat intelligence vendor, posted an alert on their website about the then undisclosed zero-day vulnerability in FortiOS ssl-vpn. A few days later, on December 12, 2022, FortiGuard Labs posted a public official PSIRT advisory formalizing the flaw as CVE-2022-42475. FortiGuard has included in their advisory a short list of Indicators of Compromise (IoCs) to validate against any Fortinet systems. The following IOCs are as follows:

IoC #1 - Multiple log entries with:

• Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

IoC #2 - Presence of the following artifacts in the filesystem:

• /data/lib/libips.bak
• /data/lib/libgif.so
• /data/lib/libiptcp.so
• /data/lib/libipudp.so
• /data/lib/libjepg.so
• /var/.sslvpnconfigbk
• /data/etc/wxd.conf
• /flash

IoC #3 - Connections to suspicious IP addresses from the FortiGate, including:

• 34.130.40: 444
• 131.189.143: 30080, 30081, 30443, 20443
• 36.119.61: 8443, 444
• 172.247.168.153: 8033 

Impact

This buffer overflow vulnerability can allow an unauthenticated attacker to perform operations on the administrative interface, manipulate dynamic resources of certain processes, execute arbitrary code via a remote devices and execution of other malicious artifacts.

Once a targeted system is compromised, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.

Mitigation and Patching

For clients who can not immediately patch vulnerable systems:

• Disable SSL-VPN on any and all Fortinet Devices. Specific firewall rules and steps to disable ssl-vpn can be found here.

For clients who can immediately patch vulnerable systems:

• Upgrade to FortiOS version 7.2.3 or above
• Upgrade to FortiOS version 7.0.9 or above
• Upgrade to FortiOS version 6.4.11 or above
• Upgrade to FortiOS version 6.2.12 or above
• Upgrade to upcoming FortiOS-6K7K version 7.0.8 or above
• Upgrade to FortiOS-6K7K version 6.4.10 or above
• Upgrade to upcoming FortiOS-6K7K version 6.2.12 or above
• Upgrade to FortiOS-6K7K version 6.0.15 or above

Ingalls MDR Clients Protections:

The Ingalls CTI team is actively engaged in hunting for any of the known indications of compromise at this time and will continue to closely monitor and develop additional detections as they become available. Please notify your assigned Primary Analyst if you suspect that your organization may be breached or require additional threathunting and analysis.

Ingalls Recommends the Following Actions:

Implement the above mitigation actions on every affected Fortinet appliance in your environment and roll out the latest patches as soon as possible.

Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact dennis.zanoni@iinfosec.com for more information.