Fortinet Patches an Actively Exploited Pre-authentication Remote Code Execution Vulnerability in FortiOS SSL-VPN (CVE-2022-42475)

Posted by Author Diksha Ojha on Posted on

Fortinet has released patches for an actively exploited pre-authentication remote code execution vulnerability in FortiOS SSL-VPN. Tracked as CVE-2022-42475, it is a critical vulnerability with a CVSSv3 score of 9.8. On successful exploitation, this vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on the target system. 
 
The advisory states, “Fortinet is aware of an instance where this vulnerability was exploited in the wild.”  
 
Fortinet is the industry pioneer in providing secure networking with perfect convergence for any location, be it a remote office, branch, campus, data center, or cloud. 
 
Fortinet Security Fabric’s heart is its network operating system, FortiOS. This operating system, or software, lies at the core of the Security Fabric and connects all its parts, ensuring tight integration throughout the deployment of the Security Fabric across an organization. 
 
Description 
CVE-2022-42475 is a heap-based buffer overflow vulnerability [CWE-122] in the FortiOS sslvpnd that could allow an unauthenticated, remote attacker to execute arbitrary commands via specifically crafted requests. 
 
Fortinet recommends users immediately validate their systems against the following indicators of compromise: 
 
Multiple log entries with: 
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“ 
 
Presence of the following artifacts in the filesystem: 
/data/lib/libips.bak 
/data/lib/libgif.so 
/data/lib/libiptcp.so 
/data/lib/libipudp.so 
/data/lib/libjepg.so 
/var/.sslvpnconfigbk 
/data/etc/wxd.conf 
/flash 
   
Connections to suspicious IP addresses from the FortiGate: 
188.34.130.40:444 
103.131.189.143:30080,30081,30443,20443 
192.36.119.61:8443,444 
172.247.168.153:8033 
 
Affected products 

  • FortiOS version 7.2.0 through 7.2.2 
  • FortiOS version 7.0.0 through 7.0.8 
  • FortiOS version 6.4.0 through 6.4.10 
  • FortiOS version 6.2.0 through 6.2.11 
  • FortiOS version 6.0.0 through 6.0.15 
  • FortiOS version 5.6.0 through 5.6.14 
  • FortiOS version 5.4.0 through 5.4.13 
  • FortiOS version 5.2.0 through 5.2.15 
  • FortiOS version 5.0.0 through 5.0.14 
  • FortiOS-6K7K version 7.0.0 through 7.0.7 
  • FortiOS-6K7K version 6.4.0 through 6.4.9 
  • FortiOS-6K7K version 6.2.0 through 6.2.11 
  • FortiOS-6K7K version 6.0.0 through 6.0.14 

Mitigation 
Customers should upgrade to the following versions to mitigate the vulnerability:

  • FortiOS version 7.2.3 or above 
  • FortiOS version 7.0.9 or above 
  • FortiOS version 6.4.11 or above 
  • FortiOS version 6.2.12 or above 
  • FortiOS-6K7K version 7.0.8 or above 
  • FortiOS-6K7K version 6.4.10 or above 
  • FortiOS-6K7K version 6.2.12 or above 
  • FortiOS-6K7K version 6.0.15 or above 

For more information, please refer to the PSIRT Advisory (FG-IR-22-398) 
 
Workaround 
Fortinet suggests disabling SSL-VPN as a workaround for this vulnerability. 
 
Qualys Detection  
Qualys customers can scan their devices with QID 43944 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://www.fortiguard.com/psirt/FG-IR-22-398  

Leave a Reply

Your email address will not be published. Required fields are marked *