Fortinet

Fortinet urges customers to patch their appliances against an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.

The security flaw is tracked as CVE-2022-42475 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to crash devices remotely and potentially perform code execution.

"A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests," warns Fortinet in a security advisory released today.

As reported by LeMagIT, French cybersecurity firm Olympe Cyberdefense first disclosed the Fortinet zero-day vulnerability, warning users to monitor their logs for suspicious activity until a patch was released.

Fortinet quietly fixed the bug on November 28th in FortiOS 7.2.3 (other versions released earlier) without releasing any information about it being exploited as a zero-day.

However, BleepingComputer has learned that the company issued a private TLP:Amber advisory to customers on December 7th with more information about the bug.

Today, Fortinet released security advisory FG-IR-22-398, publicly warning that the vulnerability has been actively exploited in attacks and that all users should update to the following versions to fix the bug.

FortiOS version 7.2.3 or above
FortiOS version 7.0.9 or above
FortiOS version 6.4.11 or above
FortiOS version 6.2.12 or above
FortiOS-6K7K version 7.0.8 or above
FortiOS-6K7K version 6.4.10 or above
FortiOS-6K7K version 6.2.12 or above
FortiOS-6K7K version 6.0.15 or above

Actively exploited in attacks

While Fortinet has not provided any information on how the flaw is being exploited, they shared IOCs related to attacks.

As shared previously by Olympe Cyberdefense and now Fortinet, when the vulnerability is exploited, it will generate the following entries in the logs:

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

Fortinet warned that the following file system artifacts would be present on exploited devices:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Fortinet also shared a list of IP addresses seen exploiting the vulnerability, listed below.

188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033

Of these IP addresses, threat intelligence company Grey Noise has detected the 103.131.189.143 address previously performing network scans in October.

If you are unable to apply the patches immediately, Olympe Cyberdefense suggests customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.

Update 12/12/22: Added information about private advisory. Fixed CVE.

Related Articles:

Mandiant says new Fortinet flaw has been exploited since June

Hackers target critical zero-day vulnerability in PTZ cameras

Fortinet warns of new critical FortiManager flaw used in zero-day attacks

Malicious ads exploited Internet Explorer zero day to drop malware

Google: 70% of exploited flaws disclosed in 2023 were zero-days