This live blog contains information regarding the FortiOS heap-based buffer overflow vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on December 27, 2022.
Update December 27, 2022
14:00 | Fortinet has updated their initial Advisory and has added several new products and versions of products to the list of affected products. Products newly added to the list compared to our previous advisory are:
- FortiOS version 6.0.0 through 6.0.15
- FortiOS version 5.6.0 through 5.6.14
- FortiOS version 5.4.0 through 5.4.13
- FortiOS version 5.2.0 through 5.2.15
- FortiOS version 5.0.0 through 5.0.14
- FortiProxy version 7.2.0 through 7.2.1
- FortiProxy version 7.0.0 through 7.0.7
- FortiProxy version 2.0.0 through 2.0.11
- FortiProxy version 1.2.0 through 1.2.13
- FortiProxy version 1.1.0 through 1.1.6
- FortiProxy version 1.0.0 through 1.0.7
Fortinet has published security patches to mitigate the vulnerability for the added FortiOS and FortiProxy products. It is advised to apply these security patches as soon as possible.
As the vulnerability is already exploited in the wild, you should consider your device compromised, if it is not patched at this moment. Fortinet has published several indicators of compromise which can be used to determine potential exploitation of the vulnerability.
Update December 13, 2022
14:00 | On the 12th of December 2022, Fortinet published an Advisory in which they describe CVE-2022-42475. This vulnerability is a heap-based buffer overflow in the FortiOS SSL-VPN allowing an unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Fortinet quietly fixed CVE-2022-42475 on November 28 in FortiOS 7.2.3 and published other versions even earlier to mitigate the vulnerability in the FortiOS SSL-VPN. However, they published the information about the Zero-Day on the 12th of December. It is advised to apply these security patches as soon as possible. Fortinet is aware of an instance where this vulnerability was exploited in the wild. Therefore, in addition to the security patches, Fortinet has shared indicators of compromise (IOCs). It is advised to check FortiOS SSL-VPN systems for the presence of the shared IOCs.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
On the 12th of December 2022, Fortinet published an Advisory in which they describe CVE-2022-42475. This vulnerability is a heap-based buffer overflow in the FortiOS SSL-VPN allowing an unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Potential Risk
CVE-2022-42475 allows an unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests by exploiting a heap-based buffer overflow in the FortiOS SSL-VPN. The vulnerability has a CVSSv3-score of 9.3. The CVSS scale runs from 0 to 10. A score of 9.3 or higher is rare and implies a high risk of exploitation with high impact.
Fortinet is aware of an instance where this vulnerability was exploited in the wild.
Detail info
The vulnerability exists in the following products:
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Fortinet published security patches to mitigate the vulnerability in the FortiOS SSL-VPN. It is advised to apply these security patches as soon as possible.
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- FortiOS-6K7K version 6.2.12 or above
- Please upgrade to FortiOS-6K7K version 6.0.15 or above
Fortinet is aware of an instance where this vulnerability was exploited in the wild. It is recommended to validate your systems against the following indicators of compromise:
- Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“ - Presence of the following artifacts in the filesystem:
- /data/lib/libips.bak
- /data/lib/libgif.so
- /data/lib/libiptcp.so
- /data/lib/libipudp.so
- /data/lib/libjepg.so
- /var/.sslvpnconfigbk
- /data/etc/wxd.conf
- /flash
- Connections to suspicious IP addresses from the FortiGate:
- 34.130.40:444
- 131.189.143:30080,30081,30443,20443
- 36.119.61:8443,444
- 247.168.153:8033
Sources
More information:
- Fortinet PSIRT Advisory: https://www.fortiguard.com/psirt/FG-IR-22-398
- NCSC Advisory: https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0763
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.