This security advisory notice addresses the critical unauthenticated remote code execution vulnerability in FortisOS: CVE-2022-42475. Read on to learn about this vulnerability, the impact, and the mitigation and patching recommendations.
This advisory specifically applies to the following Fortinet products:
Heap-based buffer overflow vulnerability in sslvpnd which can allow unauthenticated remote code execution using specially crafted requests.
FortiGuard Labs has confirmed at least one instance of exploitation “in the wild”. This suggests that further weaponization and exploitation is active and imminent.
CVE-2022-42475
On December 09, 2022, Olympe CyberDefense, a France-based cyber threat intelligence vendor, posted an alert on their website about the then undisclosed zero-day vulnerability in FortiOS ssl-vpn. A few days later, on December 12, 2022, FortiGuard Labs posted a public official PSIRT advisory formalizing the flaw as CVE-2022-42475. FortiGuard has included in their advisory a short list of Indicators of Compromise (IoCs) to validate against any Fortinet systems. The following IOCs are as follows:
IoC #1 - Multiple log entries with:
IoC #2 - Presence of the following artifacts in the filesystem:
IoC #3 - Connections to suspicious IP addresses from the FortiGate, including:
This buffer overflow vulnerability can allow an unauthenticated attacker to perform operations on the administrative interface, manipulate dynamic resources of certain processes, execute arbitrary code via a remote devices and execution of other malicious artifacts.
Once a targeted system is compromised, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.
For clients who can not immediately patch vulnerable systems:
For clients who can immediately patch vulnerable systems:
The Ingalls CTI team is actively engaged in hunting for any of the known indications of compromise at this time and will continue to closely monitor and develop additional detections as they become available. Please notify your assigned Primary Analyst if you suspect that your organization may be breached or require additional threathunting and analysis.
Implement the above mitigation actions on every affected Fortinet appliance in your environment and roll out the latest patches as soon as possible.
Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact dennis.zanoni@iinfosec.com for more information.