10:15am, 13 December 2022
TLP Rating:
Fortinet software SSL-VPN Remote Code Execution vulnerability
A vulnerability has been discovered that affects FortiGate devices running FortiOS with SSL-VPN enabled.
This vulnerability (CVE-2022-42475) allows for an attacker, using a heap-based buffer overflow, to run unauthorised commands remotely on affected systems.
Fortinet is aware of an instance where this vulnerability was exploited in the wild.
UPDATED 15/12/22: added more affected versions of FortiOS.
What to look for
How to tell if you're at risk
If you have SSL-VPN enabled on FortiGate devices with the following versions:
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS version 6.0.0 through 6.0.15
- FortiOS version 5.6.0 through 5.6.14
- FortiOS version 5.4.0 through 5.4.13
- FortiOS version 5.2.0 through 5.2.15
- FortiOS version 5.0.0 through 5.0.14
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
If you do not have SSL-VPN enabled, this vulnerability does not affect you.
How to tell if you're affected
Multiple log entries with:
- Logdesc="Application crashed"
and
- msg="[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Presence of the following artifacts in the filesystem:
- /data/lib/libips.bak
- /data/lib/libgif.so
- /data/lib/libiptcp.so
- /data/lib/libipudp.so
- /data/lib/libjepg.so
- /var/.sslvpnconfigbk
- /data/etc/wxd.conf
- /flash
Fortinet have listed some suspicious IP addresses and ports.
What to do
Prevention
Update FortiOS to the latest version:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- FortiOS version 6.0.16 or above
- FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
Mitigation
For alternative mitigations, CERT NZ recommends disabling SSL-VPN
More information
Fortinet has published further details
PSIRT Advisories | FortiGuard External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.