Fortinet confirmed a critical vulnerability in FortiOS SSL-VPN products. Here's what you need to know.
Background
On December 12, 2022, Fortinet released an advisory detailing a critical security flaw (CVE-2022-42475) in FortiOS SSL-VPN products. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.
Impact
The vulnerability affects Fortinet appliances running the following versions:
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. This vulnerability is under active exploitation. Impacted organizations should apply a security patch immediately.
Next steps for Fortinet customers:
- Download and install the latest version of the affected products:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
- Review your Fortinet device for evidence of compromise. Fortinet has provided the following indicators of compromise to search for:
- Multiple log entries with:
Logdesc="Application crashed" and msg="[...]
application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“ - Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash - Connections to suspicious IP addresses from the FortiGate device:
188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033
- Multiple log entries with: