Critical heap-based buffer overflow vulnerability in FortiOS (CVE-2022-42475)

13.12.2022

What is this vulnerability all about?

Fortinet informed in the latest PSIRT Advisory about a critical pre-auth vulnerability in the sslvpnd of FortiOS module allowing an anonymous attacker to execute arbitrary code.

CVE-2022-42475 is a critical vulnerability in the sslvpn module.

Situation

This heap-based buffer overflow vulnerability is tracked as CVE-2022-42475 and received a CVSSv3 score of 9.3 out of 10. This vulnerability could allow anonymous attackers to execure arbitrary code, execute commands or crash the device by sending specificly crafted network packages. Fortinet also informed that this vulerability is actively exploitet in the wild.

Affected OS

FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14

Workaround

Disable SSL VPN

Solution

Upgrade to the fixed OS versions according to the Fortinet PSIRT Advisory.

How to detect an attack

Fortinet already shared a few indicators of compromise about the known attacks in the PSIRT Advisory:

Exploiting the vulnerability will generate the following entries in the logs:

Logdesc=“Application crashed“ and msg=“[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

After exploitation, the following artifact might be present on the file system:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Known attack sources:
188.34.130.40:444
103.131.189.143:30080, 30081, 30443, 20443
192.36.119.61:8443, 444
172.247.168.153:8033

Another indicator of compromise is crashes of the sslvpnd. Please be alert if you receive multiple entries when checking for crashes using the following command:

# diag deb crashlog read | grep sslvpnd

Additionally, when you want to check the mentioned files in the filesystem you can use the following command:

# fnsysctl ls /data/lib

Please contact Sidarion in case of questions, if you need further support or think your systems might have been compromised.

Aktuelles

10.04.2024

FortiClient, FortiOS, FortiProxy, FortiSandbox– Update on security vulnerabilities

What are the vulnerabilities all about?

Event 23.02.2024

Business Breakfast mit Netskope – 21.03.2024

"Behind the SASE Scenes", ein Einblick in die SASE Blackbox

Event 16.02.2024

TechTalk mit Cricket Liu – 16.04.2024

Exklusives Netzwerk-Event in Zürich

alle Beiträge