Advisory
27 JAN 2023
Background
Fortinet has issued a warning on a vulnerability affecting several versions of Fortinet FortiOS used in its FortiGate secure socket layer virtual private network (SSL VPN) and firewall products.
The security flaw is tracked as CVE-2022-42475 which is rated Critical and assigned a CVSS score of 9.3 out of 10. The attacks are said to be complex and highly targeted at “governmental or government-related targets.”
FortiOS is a network security operating system developed by Fortinet, Inc which provides a comprehensive set of networking and security features for organizations across all industries.
Modus Operandi
CVE-2022-42475 is a heap-based buffer overflow vulnerability which involves overloading a buffer with more data than it can handle, causing a crash or creating an entry point for attacks.
This event will then lead an unauthenticated, remote attacker to execute arbitrary code or commands on devices running vulnerable versions of FortiOS via specifically crafted HTTP(S) requests. Sample of the code shows that it is a variant of a generic Linux implant customized for FortiOS.
Impact
A successful attack may cause the attacker to gain full control of the affected system.
Affected Products and Versions
FortiOS:
-
Version 7.2.0 through 7.2.2 (upgrade to FortiOS versions 7.2.3 or above)
-
Version 7.0.0 through 7.0.8 (upgrade to FortiOS versions 7.0.9 or above)
-
Version 6.4.0 through 6.4.10 (upgrade to FortiOS versions 6.4.11 or above)
-
Version 6.2.0 through 6.2.11 (upgrade to FortiOS versions 6.2.12 or above)
-
Version 6.0.0 through 6.0.15 (Upgrade to FortiOS version 6.0.16 or above)
-
Version 5.6.0 through 5.6.14
-
Version 5.4.0 through 5.4.13
-
Version 5.2.0 through 5.2.15
-
Version 5.0.0 through 5.0.14
FortiOS-6K7K:
-
Version 7.0.0 through 7.0.7 (upgrade to FortiOS-6K7K version 7.0.8 or above)
-
Version 6.4.0 through 6.4.9 (upgrade to FortiOS-6K7K version 6.4.10 or above)
-
Version 6.2.0 through 6.2.11 (upgrade to FortiOS-6K7K version 6.2.12 or above)
-
Version 6.0.0 through 6.0.14 (upgrade to FortiOS-6K7K version 6.0.15 or above)
FortiProxy:
-
Version 7.2.0 through 7.2.1 (FortiProxy version 7.2.2 or above)
-
Version 7.0.0 through 7.0.7 (FortiProxy version 7.0.8 or above)
-
Version 2.0.0 through 2.0.11 (Please upgrade to upcoming FortiProxy version 2.0.12 or above)
-
Version 1.2.0 through 1.2.13
-
Version 1.1.0 through 1.1.6
-
Version 1.0.0 through 1.0.7
Recommendations
-
Immediately upgrade to the latest patches. However, before upgrading, Fortinet recommends organizations disable the SSL-VPN device. Please refer to this link for steps and procedures: https://community.fortinet.com/t5/FortiGate/Technical-Tip-nbsp-How-to-disable-SSL-VPN-functionality-on/ta-p/230801
-
Create access rules to limit connections from specific IP addresses.
-
Immediately validate systems against the following indicators of compromise by searching for:
Event Logs either on the FortiGate or the FortiAnalyzer for multiple System level log events containing the following information:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
-
Fortinet warned that the following file system artifacts would be present on exploited devices:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
-
Fortinet also shared a list of connections to suspicious IP addresses from FortiGate:
188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033
139.180.184.197
66.42.91.32
158.247.221.101
107.148.27.117
139.180.128.142
155.138.224.122
185.174.136.20
References
