TR-71 - FortiOS - heap-based buffer overflow in sslvpnd (exploited) - FortiOS SSL-VPN - CVE-2022-42475

TR-71 - FortiOS - heap-based buffer overflow in sslvpnd (exploited) - FortiOS SSL-VPN - CVE-2022-42475

Back to Publications and Presentations

  1. Overview
  2. Vulnerable systems
  3. Scope of the problem
  4. Fixing and mitigation
  5. Detection and logs
  6. Have you seen exploited server in Luxembourg?
  7. I applied the patch and I don’t have any resources for doing further investigation. What should I do?
  8. References
  9. Classification of this document
  10. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Vulnerable systems

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS version 6.0.0 through 6.0.15
  • FortiOS version 5.6.0 through 5.6.14
  • FortiOS version 5.4.0 through 5.4.13
  • FortiOS version 5.2.0 through 5.2.15
  • FortiOS version 5.0.0 through 5.0.14
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

Scope of the problem

The vulnerability is exploited for some time (the exact date of the beginning of exploitation is unknown). If you have a FortiOS device with the SSL-VPN publicly accessible, you should consider a standard incident response procedure (even if you have auto-update activated).

Fixing and mitigation

  • Upgrade to FortiOS version 7.2.3 or above
  • Upgrade to FortiOS version 7.0.9 or above
  • Upgrade to FortiOS version 6.4.11 or above
  • Upgrade to FortiOS version 6.2.12 or above
  • Upgrade to FortiOS-6K7K version 7.0.8 or above
  • Upgrade to FortiOS-6K7K version 6.4.10 or above
  • Upgrade to FortiOS-6K7K version 6.2.12 or above
  • Upgrade to FortiOS-6K7K version 6.0.15 or above

Firmware can be downloaded via Fortinet Support. The maintenance contract might be required in order to download the firmware. If you cannot update the software, disabling SSL-VPN is an option.

Detection and logs

In the report from the FortiGuard PSIRT, the following logs entries are potential artifact for detecting an exploited device:

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

Have you seen exploited server in Luxembourg?

There are a significant number of potential exploited Fortigate devices with SSL-VPN enabled in Luxembourg. We are sending notifications to the ISP abuse contact.

I applied the patch and I don’t have any resources for doing further investigation. What should I do?

In all the cases, we recommend to perform a full incident response process including the security review of the system. If you have the ability to reinstall the device from scratch, this is a safer approach.

References

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.1 - TLP:WHITE - Older version of FortiOS are vulnerable and some updates in the MISP event (new IP addresses from the Fortinet document)
  • Version 1.0 - TLP:WHITE - First version - 13th December 2022