Skip to main content

Critical Vulnerability in FortiOS SSL-VPN Targeting Governments

Advisory Critical Vulnerability in FortiOS SSL-VPN Targeting Governments

Advisory
27 JAN 2023

 

Background 

Fortinet has issued a warning on a vulnerability affecting several versions of Fortinet FortiOS used in its FortiGate secure socket layer virtual private network (SSL VPN) and firewall products.  

The security flaw is tracked as CVE-2022-42475 which is rated Critical and assigned a CVSS score of 9.3 out of 10. The attacks are said to be complex and highly targeted at “governmental or government-related targets.” 

FortiOS is a network security operating system developed by Fortinet, Inc which provides a comprehensive set of networking and security features for organizations across all industries.  

 

Modus Operandi 

CVE-2022-42475 is a heap-based buffer overflow vulnerability which involves overloading a buffer with more data than it can handle, causing a crash or creating an entry point for attacks.  

This event will then lead an unauthenticated, remote attacker to execute arbitrary code or commands on devices running vulnerable versions of FortiOS via specifically crafted HTTP(S) requests.  Sample of the code shows that it is a variant of a generic Linux implant customized for FortiOS. 

 

Impact 

A successful attack may cause the attacker to gain full control of the affected system. 

 

Affected Products and Versions 

FortiOS: 

  • Version 7.2.0 through 7.2.2 (upgrade to FortiOS versions 7.2.3 or above) 

  • Version 7.0.0 through 7.0.8 (upgrade to FortiOS versions 7.0.9 or above) 

  • Version 6.4.0 through 6.4.10 (upgrade to FortiOS versions 6.4.11 or above) 

  • Version 6.2.0 through 6.2.11 (upgrade to FortiOS versions 6.2.12 or above) 

  • Version 6.0.0 through 6.0.15 (Upgrade to FortiOS version 6.0.16 or above) 

  • Version 5.6.0 through 5.6.14 

  • Version 5.4.0 through 5.4.13 

  • Version 5.2.0 through 5.2.15 

  • Version 5.0.0 through 5.0.14 

 

FortiOS-6K7K: 

  • Version 7.0.0 through 7.0.7 (upgrade to FortiOS-6K7K version 7.0.8 or above) 

  • Version 6.4.0 through 6.4.9 (upgrade to FortiOS-6K7K version 6.4.10 or above) 

  • Version 6.2.0 through 6.2.11 (upgrade to FortiOS-6K7K version 6.2.12 or above) 

  • Version 6.0.0 through 6.0.14 (upgrade to FortiOS-6K7K version 6.0.15 or above) 

 

FortiProxy: 

  • Version 7.2.0 through 7.2.1 (FortiProxy version 7.2.2 or above) 

  • Version 7.0.0 through 7.0.7 (FortiProxy version 7.0.8 or above) 

  • Version 2.0.0 through 2.0.11 (Please upgrade to upcoming FortiProxy version 2.0.12 or above) 

  • Version 1.2.0 through 1.2.13 

  • Version 1.1.0 through 1.1.6 

  • Version 1.0.0 through 1.0.7 

 

Recommendations 

           Event Logs either on the FortiGate or the FortiAnalyzer for multiple System level log events containing the following information:  

Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“ 

  • Fortinet warned that the following file system artifacts would be present on exploited devices:  

           /data/lib/libips.bak 

           /data/lib/libgif.so 

           /data/lib/libiptcp.so 

           /data/lib/libipudp.so 

           /data/lib/libjepg.so 

           /var/.sslvpnconfigbk 

           /data/etc/wxd.conf 

           /flash 

  • Fortinet also shared a list of connections to suspicious IP addresses from FortiGate: 

           188.34.130.40:444 

           103.131.189.143:30080,30081,30443,20443 

           192.36.119.61:8443,444 

           172.247.168.153:8033 

           139.180.184.197 

           66.42.91.32 

           158.247.221.101 

           107.148.27.117 

           139.180.128.142 

           155.138.224.122 

           185.174.136.20 

 

References