Kwetsbaarheid

FortiOS heap-based buffer overflow vulnerability

This live blog contains information regarding the FortiOS heap-based buffer overflow vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on December 27, 2022.

Clip path group@2x

T-Update

Informatie over kwetsbaarheden

This live blog contains information regarding the FortiOS heap-based buffer overflow vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on December 27, 2022.

Update December 27, 2022

14:00 | Fortinet has updated their initial Advisory and has added several new products and versions of products to the list of affected products. Products newly added to the list compared to our previous advisory are:

  • FortiOS version 6.0.0 through 6.0.15
  • FortiOS version 5.6.0 through 5.6.14
  • FortiOS version 5.4.0 through 5.4.13
  • FortiOS version 5.2.0 through 5.2.15
  • FortiOS version 5.0.0 through 5.0.14
  • FortiProxy version 7.2.0 through 7.2.1
  • FortiProxy version 7.0.0 through 7.0.7
  • FortiProxy version 2.0.0 through 2.0.11
  • FortiProxy version 1.2.0 through 1.2.13
  • FortiProxy version 1.1.0 through 1.1.6
  • FortiProxy version 1.0.0 through 1.0.7

Fortinet has published security patches to mitigate the vulnerability for the added FortiOS and FortiProxy products. It is advised to apply these security patches as soon as possible.

As the vulnerability is already exploited in the wild, you should consider your device compromised, if it is not patched at this moment. Fortinet has published several indicators of compromise which can be used to determine potential exploitation of the vulnerability.

Update December 13, 2022

14:00 | On the 12th of December 2022, Fortinet published an Advisory in which they describe CVE-2022-42475. This vulnerability is a heap-based buffer overflow in the FortiOS SSL-VPN allowing an unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Fortinet quietly fixed CVE-2022-42475 on November 28 in FortiOS 7.2.3 and published other versions even earlier to mitigate the vulnerability in the FortiOS SSL-VPN. However, they published the information about the Zero-Day on the 12th of December. It is advised to apply these security patches as soon as possible. Fortinet is aware of an instance where this vulnerability was exploited in the wild. Therefore, in addition to the security patches, Fortinet has shared indicators of compromise (IOCs). It is advised to check FortiOS SSL-VPN systems for the presence of the shared IOCs.

Cyberveiligheid op maat

Achtergrond

On the 12th of December 2022, Fortinet published an Advisory in which they describe CVE-2022-42475. This vulnerability is a heap-based buffer overflow in the FortiOS SSL-VPN allowing an unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Risico

CVE-2022-42475 allows an unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests by exploiting a heap-based buffer overflow in the FortiOS SSL-VPN. The vulnerability has a CVSSv3-score of 9.3. The CVSS scale runs from 0 to 10. A score of 9.3 or higher is rare and implies a high risk of exploitation with high impact.

Fortinet is aware of an instance where this vulnerability was exploited in the wild.

Advies

The vulnerability exists in the following products:

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

Fortinet published security patches to mitigate the vulnerability in the FortiOS SSL-VPN. It is advised to apply these security patches as soon as possible.

  • FortiOS version 7.2.3 or above
  • FortiOS version 7.0.9 or above
  • FortiOS version 6.4.11 or above
  • FortiOS version 6.2.12 or above
  • FortiOS-6K7K version 7.0.8 or above
  • FortiOS-6K7K version 6.4.10 or above
  • FortiOS-6K7K version 6.2.12 or above
  • Please upgrade to FortiOS-6K7K version 6.0.15 or above

Fortinet is aware of an instance where this vulnerability was exploited in the wild. It is recommended to validate your systems against the following indicators of compromise:

  • Multiple log entries with:
    Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
  • Presence of the following artifacts in the filesystem:
    • /data/lib/libips.bak
    • /data/lib/libgif.so
    • /data/lib/libiptcp.so
    • /data/lib/libipudp.so
    • /data/lib/libjepg.so
    • /var/.sslvpnconfigbk
    • /data/etc/wxd.conf
    • /flash
  • Connections to suspicious IP addresses from the FortiGate:
    • 34.130.40:444
    • 131.189.143:30080,30081,30443,20443
    • 36.119.61:8443,444
    • 247.168.153:8033

Bronnen

More information:

Ellipse 6

Schrijf je in voor T-Updates

Ontvang elke woensdag het laatste nieuws over malware of kwetsbaarheden in je mail

More than 1,000 organizations have already joined us.

Tesorion uses your data to send the requested information. In addition, your data may be used for commercial follow-up. You can unsubscribe from this at any time via the link in the email. For more information, read our privacy policy.

Opt-in-EN
Ellipse 6