News and events Own Your Online External Link Report an incident
News and events Own Your Online External Link
  1. Welcome to CERT NZ
  2. Advisories
  3. Fortinet software SSL-VPN Remote Code Execution vulnerability

Fortinet software SSL-VPN Remote Code Execution vulnerability

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

10:15am, 13 December 2022

TLP Rating: Clear

Fortinet software SSL-VPN Remote Code Execution vulnerability

A vulnerability has been discovered that affects FortiGate devices running FortiOS with SSL-VPN enabled.

This vulnerability (CVE-2022-42475) allows for an attacker, using a heap-based buffer overflow, to run unauthorised commands remotely on affected systems.

Fortinet is aware of an instance where this vulnerability was exploited in the wild.

UPDATED 15/12/22: added more affected versions of FortiOS.

What to look for

How to tell if you're at risk

If you have SSL-VPN enabled on FortiGate devices with the following versions:

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS version 6.0.0 through 6.0.15
  • FortiOS version 5.6.0 through 5.6.14
  • FortiOS version 5.4.0 through 5.4.13
  • FortiOS version 5.2.0 through 5.2.15
  • FortiOS version 5.0.0 through 5.0.14
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

If you do not have SSL-VPN enabled, this vulnerability does not affect you.

How to tell if you're affected

Multiple log entries with:

  • Logdesc="Application crashed"

and

  • msg="[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Presence of the following artifacts in the filesystem:

  • /data/lib/libips.bak
  • /data/lib/libgif.so
  • /data/lib/libiptcp.so
  • /data/lib/libipudp.so
  • /data/lib/libjepg.so
  • /var/.sslvpnconfigbk
  • /data/etc/wxd.conf
  • /flash

Fortinet have listed some suspicious IP addresses and ports.

PSIRT Advisories | FortiGuard External Link

What to do

Prevention

Update FortiOS to the latest version:

  • FortiOS version 7.2.3 or above
  • FortiOS version 7.0.9 or above
  • FortiOS version 6.4.11 or above
  • FortiOS version 6.2.12 or above
  • FortiOS version 6.0.16 or above
  • FortiOS-6K7K version 7.0.8 or above
  • FortiOS-6K7K version 6.4.10 or above
  • FortiOS-6K7K version 6.2.12 or above
  • FortiOS-6K7K version 6.0.15 or above

Mitigation

For alternative mitigations, CERT NZ recommends disabling SSL-VPN

More information

Fortinet has published further details

PSIRT Advisories | FortiGuard External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link