CVE-2022-42475 is a critical vulnerability in the sslvpn module.
Situation
This heap-based buffer overflow vulnerability is tracked as CVE-2022-42475 and received a CVSSv3 score of 9.3 out of 10. This vulnerability could allow anonymous attackers to execure arbitrary code, execute commands or crash the device by sending specificly crafted network packages. Fortinet also informed that this vulerability is actively exploitet in the wild.
Affected OS
FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14
Workaround
Disable SSL VPN
Solution
Upgrade to the fixed OS versions according to the Fortinet PSIRT Advisory.
How to detect an attack
Fortinet already shared a few indicators of compromise about the known attacks in the PSIRT Advisory:
Exploiting the vulnerability will generate the following entries in the logs:
Logdesc=“Application crashed“ and msg=“[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
After exploitation, the following artifact might be present on the file system:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Known attack sources:
188.34.130.40:444
103.131.189.143:30080, 30081, 30443, 20443
192.36.119.61:8443, 444
172.247.168.153:8033
Another indicator of compromise is crashes of the sslvpnd. Please be alert if you receive multiple entries when checking for crashes using the following command:
# diag deb crashlog read | grep sslvpnd
Additionally, when you want to check the mentioned files in the filesystem you can use the following command:
# fnsysctl ls /data/lib
Please contact Sidarion in case of questions, if you need further support or think your systems might have been compromised.