Skip to the main content.
Government Programs

Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

Book GP Demo

Professional Services

Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

3 min read

Critical Unauthenticated Remote Code Execution Vulnerability in FortiOS

This security advisory notice addresses the critical unauthenticated remote code execution vulnerability in FortisOS: CVE-2022-42475. Read on to learn about this vulnerability, the impact, and the mitigation and patching recommendations.

Security Advisory Notice

Critical Unauthenticated Remote Code Execution Vulnerability in FortiOS: CVE-2022-42475


Affected Software / System

This advisory specifically applies to the following Fortinet products:

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS version 6.0.0 through 6.0.15
  • FortiOS version 5.6.0 through 5.6.14
  • FortiOS version 5.4.0 through 5.4.13
  • FortiOS version 5.2.0 through 5.2.15
  • FortiOS version 5.0.0 through 5.0.14
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14


CVE (if applicable)

  • CVE-2022-42475 (heap-based buffer overflow vulnerability in sslvpnd)


Type

Heap-based buffer overflow vulnerability in sslvpnd which can allow unauthenticated remote code execution using specially crafted requests.

Exploit Status: 

FortiGuard Labs has confirmed at least one instance of exploitation “in the wild”. This suggests that further weaponization and exploitation is active and imminent.


Rating

CVE-2022-42475

  • CVSSv3 score of 9.3 by Fortinet, Inc.
  • Severity: Critical

 

Vulnerability Summary

On December 09, 2022, Olympe CyberDefense, a France-based cyber threat intelligence vendor, posted an alert on their website about the then undisclosed zero-day vulnerability in FortiOS ssl-vpn. A few days later, on December 12, 2022, FortiGuard Labs posted a public official PSIRT advisory formalizing the flaw as CVE-2022-42475. FortiGuard has included in their advisory a short list of Indicators of Compromise (IoCs) to validate against any Fortinet systems. The following IOCs are as follows:

IoC #1 - Multiple log entries with:

  • Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

 

IoC #2 - Presence of the following artifacts in the filesystem:

  • /data/lib/libips.bak
  • /data/lib/libgif.so
  • /data/lib/libiptcp.so
  • /data/lib/libipudp.so
  • /data/lib/libjepg.so
  • /var/.sslvpnconfigbk
  • /data/etc/wxd.conf
  • /flash

 

IoC #3 - Connections to suspicious IP addresses from the FortiGate, including:

  • 34.130.40: 444
  • 131.189.143: 30080, 30081, 30443, 20443
  • 36.119.61: 8443, 444
  • 172.247.168.153: 8033 

 

Impact

This buffer overflow vulnerability can allow an unauthenticated attacker to perform operations on the administrative interface, manipulate dynamic resources of certain processes, execute arbitrary code via a remote devices and execution of other malicious artifacts.

Once a targeted system is compromised, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.


Mitigation and Patching

For clients who can not immediately patch vulnerable systems:

  • Disable SSL-VPN on any and all Fortinet Devices. Specific firewall rules and steps to disable ssl-vpn can be found here.

For clients who can immediately patch vulnerable systems:

  • Upgrade to FortiOS version 7.2.3 or above
  • Upgrade to FortiOS version 7.0.9 or above
  • Upgrade to FortiOS version 6.4.11 or above
  • Upgrade to FortiOS version 6.2.12 or above
  • Upgrade to upcoming FortiOS-6K7K version 7.0.8 or above
  • Upgrade to FortiOS-6K7K version 6.4.10 or above
  • Upgrade to upcoming FortiOS-6K7K version 6.2.12 or above
  • Upgrade to FortiOS-6K7K version 6.0.15 or above

 

Ingalls MDR Clients Protections:

The Ingalls CTI team is actively engaged in hunting for any of the known indications of compromise at this time and will continue to closely monitor and develop additional detections as they become available. Please notify your assigned Primary Analyst if you suspect that your organization may be breached or require additional threathunting and analysis.

Ingalls Recommends the Following Actions:

Implement the above mitigation actions on every affected Fortinet appliance in your environment and roll out the latest patches as soon as possible.

 

Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact dennis.zanoni@iinfosec.com for more information.