Fortinet has released patches for an actively exploited pre-authentication remote code execution vulnerability in FortiOS SSL-VPN. Tracked as CVE-2022-42475, it is a critical vulnerability with a CVSSv3 score of 9.8. On successful exploitation, this vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on the target system.
The advisory states, “Fortinet is aware of an instance where this vulnerability was exploited in the wild.”
Fortinet is the industry pioneer in providing secure networking with perfect convergence for any location, be it a remote office, branch, campus, data center, or cloud.
Fortinet Security Fabric’s heart is its network operating system, FortiOS. This operating system, or software, lies at the core of the Security Fabric and connects all its parts, ensuring tight integration throughout the deployment of the Security Fabric across an organization.
CVE-2022-42475 is a heap-based buffer overflow vulnerability [CWE-122] in the FortiOS sslvpnd that could allow an unauthenticated, remote attacker to execute arbitrary commands via specifically crafted requests.
Fortinet recommends users immediately validate their systems against the following indicators of compromise:
Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Presence of the following artifacts in the filesystem:
Connections to suspicious IP addresses from the FortiGate:
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS version 6.0.0 through 6.0.15
- FortiOS version 5.6.0 through 5.6.14
- FortiOS version 5.4.0 through 5.4.13
- FortiOS version 5.2.0 through 5.2.15
- FortiOS version 5.0.0 through 5.0.14
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Customers should upgrade to the following versions to mitigate the vulnerability:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
For more information, please refer to the PSIRT Advisory (FG-IR-22-398).
Fortinet suggests disabling SSL-VPN as a workaround for this vulnerability.
Qualys customers can scan their devices with QID 43944 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.