Vulnerabilities and Threats (Corvus Alerts)
      Back to home
      1. Knowledge Nest
      2. Cybersecurity Tips + Vulnerability Alerts
      3. Vulnerabilities and Threats (Corvus Alerts)

      Fortinet Vulnerability Advisory | December 2022

      Fortinet confirmed a critical vulnerability in FortiOS SSL-VPN products. Here's what you need to know.

      Background

      On December 12, 2022, Fortinet released an advisory detailing a critical security flaw (CVE-2022-42475) in FortiOS SSL-VPN products. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.

      Impact

      The vulnerability affects Fortinet appliances running the following versions:

      • FortiOS version 7.2.0 through 7.2.2
      • FortiOS version 7.0.0 through 7.0.8
      • FortiOS version 6.4.0 through 6.4.10
      • FortiOS version 6.2.0 through 6.2.11
      • FortiOS-6K7K version 7.0.0 through 7.0.7
      • FortiOS-6K7K version 6.4.0 through 6.4.9
      • FortiOS-6K7K version 6.2.0 through 6.2.11
      • FortiOS-6K7K version 6.0.0 through 6.0.14 

      Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. This vulnerability is under active exploitation. Impacted organizations should apply a security patch immediately.

      Next steps for Fortinet customers:

      1. Download and install the latest version of the affected products:
        1. FortiOS version 7.2.3 or above
        2. FortiOS version 7.0.9 or above
        3. FortiOS version 6.4.11 or above
        4. FortiOS version 6.2.12 or above
        5. FortiOS-6K7K version 7.0.8 or above
        6. FortiOS-6K7K version 6.4.10 or above
        7. FortiOS-6K7K version 6.2.12 or above
        8. FortiOS-6K7K version 6.0.15 or above
      2. Review your Fortinet device for evidence of compromise. Fortinet has provided the following indicators of compromise to search for:
        1. Multiple log entries with: 
          Logdesc="Application crashed" and msg="[...] 
          application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“
        2. Presence of the following artifacts in the filesystem: 
          /data/lib/libips.bak
          /data/lib/libgif.so
          /data/lib/libiptcp.so
          /data/lib/libipudp.so
          /data/lib/libjepg.so
          /var/.sslvpnconfigbk
          /data/etc/wxd.conf
          /flash
        3. Connections to suspicious IP addresses from the FortiGate device: 
          188.34.130.40:444
          103.131.189.143:30080,30081,30443,20443
          192.36.119.61:8443,444
          172.247.168.153:8033

      Resources