Dec 12

Critical Fortigate VPN SSL Vulnerability – CVE-2022-42475

Updated on Tuesday 13, December – Affected versions.

Critical VPN SSL Vulnerability (FortiOS): Fortinet has just announced a critical vulnerability in all versions. Vulnerabilities that can be easily exploited remotely to compromise firewall or where remote code execution is considered likely in common situations. Manipulate the dynamic resources of some processes, the goal is to divert the working operation. The impact would be arbitrary code or execute unauthorized code or commands.

 

The highest severity issue fixed in this release is CRITICAL.

This vulnerability has a CVSS higher than 9. It’s already patched in the latest versions of FortiOS. Still, it’s not mentioned in their release notes. And the related PSIRT advisory from FortiGuardLabs is now publicly accessible. A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

 

IR Number: FG-IR-22-398
Date: Dec 12, 2022
CVSSv3 Score: 9.3
Impact: Execute unauthorized code or commands
CVE ID: CVE-2022-42475

Affected versions:

  • FortiOS version 7.2.x to 7.2.2,
  • FortiOS version 7.0.x to 7.0.8,
  • FortiOS version 6.4.x to 6.4.10,
  • FortiOS version 6.2.x to 6.2.11,
  • FortiOS version 6.0.x to 6.0.15,
  • FortiOS version 5.6.x to 5.6.14,
  • FortiOS version 5.4.x to 5.4.13,
  • FortiOS version 5.2.x to 5.2.15,
  • FortiOS version 5.0.x to 5.0.14,
  • FortiOS-6K7K version 7.0.x to 7.0.7,
  • FortiOS-6K7K version 6.4.x to 6.4.9,
  • FortiOS-6K7K version 6.2.x to 6.2.11,
  • FortiOS-6K7K version 6.0.x to 6.0.14.

 

Workaround:

Prepare for immediate patching according to this way:

  • FortiOS version 7.2.x to 7.2.2: Downgrade to version 7.0.9 (care to the compatibility of news features in v7.2.x with 7.0.9 or upgrade to 7.2.3,
  • FortiOS version 7.0.x to 7.0.8: Upgrade to version 7.0.9,
  • FortiOS version 6.4.x to 6.4.10: Upgrade to version 6.4.11,
  • FortiOS version 6.2.x to 6.2.11: Upgrade to version 6.2.12.
  • FortiOS-6K7K version 7.0.x to 7.0.7: Upgrade to version 7.0.8,
  • FortiOS-6K7K version 6.4.x to 6.4.9: Upgrade to version 6.4.10?
  • FortiOS-6K7K version 6.2.x to 6.2.11: Upgrade to version 6.2.12,
  • FortiOS-6K7K version 6.0.x to 6.0.14: Upgrade to version 6.0.15.

 

Exploitation status:

Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise:

Multiple log entries with:

Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Presence of the following artifacts in the filesystem:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Connections to suspicious IP addresses from the FortiGate:

188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033

All users of Fortigate should use this time to inventory instances of Fortigate and prepare for immediate patching when this is released. We recommend that you begin identifying your vulnerable systems now and prepare to patch (schedule a Task Force especially) soon as possible.

Source: https://www.fortiguard.com/psirt/FG-IR-22-398

Organizations, users, get ready! We’ll keep you updated.

 
 

The core function of a SOC: Blog Post
Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:
fb-share-icon
Tweet

Christopher GLEMOT

CTO | Technical specialist around Data Management, Security, Cyber Security, Cyber Resilience, Backup, Disaster Recovery, Multi-Cloud, and Storage | Veeam Vanguard | Varonis Elite | Owner of original-network.com

Advertisement
error

Enjoy this blog? Please spread the word :)