Critical Vulnerability in FortiOS SSL-VPN Targeting Governments

BACKGROUND

Fortinet has issued a warning on a vulnerability affecting several versions of Fortinet FortiOS used in its FortiGate secure socket layer virtual private network (SSL VPN) and firewall products. The security flaw is tracked as CVE-2022-42475 which is rated Critical and assigned a CVSS score of 9.3
out of 10. The attacks are said to be complex and highly targeted at “governmental or government-related targets.”

FortiOS is a network security operating system developed by Fortinet, Inc which provides a comprehensive set of networking and security features for organizations across all industries.

MODUS OPERANDI

CVE-2022-42475 is a heap-based buffer overflow vulnerability which involves overloading a buffer with more data than it can handle, causing a crash or creating an entry point for attacks. This event will then lead an unauthenticated, remote attacker to execute arbitrary code or commands on devices running vulnerable versions of FortiOS via specifically crafted HTTP(S) requests. Sample of the code shows that it is a variant of a generic Linux implant customized for FortiOS.

IMPACT
A successful attack may cause the attacker to gain full control of the affected system.

 

AFFECTED PRODUCTS & VERSIONS

 FortiOS:

  •  Version 7.2.0 through 7.2.2 (upgrade to FortiOS versions 7.2.3 or above)
  •  Version 7.0.0 through 7.0.8 (upgrade to FortiOS versions 7.0.9 or above)
  •  Version 6.4.0 through 6.4.10 (upgrade to FortiOS versions 6.4.11 or above)
  •  Version 6.2.0 through 6.2.11 (upgrade to FortiOS versions 6.2.12 or above)
  •  Version 6.0.0 through 6.0.15 (Upgrade to FortiOS version 6.0.16 or above)
  •  Version 5.6.0 through 5.6.14
  •  Version 5.4.0 through 5.4.13
  •  Version 5.2.0 through 5.2.15
  •  Version 5.0.0 through 5.0.14

 FortiOS-6K7K:

  •  Version 7.0.0 through 7.0.7 (upgrade to FortiOS-6K7K version 7.0.8 or above)
  •  Version 6.4.0 through 6.4.9 (upgrade to FortiOS-6K7K version 6.4.10 or above)
  •  Version 6.2.0 through 6.2.11 (upgrade to FortiOS-6K7K version 6.2.12 or above)
  •  Version 6.0.0 through 6.0.14 (upgrade to FortiOS-6K7K version 6.0.15 or above)

 FortiProxy:

  •  Version 7.2.0 through 7.2.1 (FortiProxy version 7.2.2 or above)
  •  Version 7.0.0 through 7.0.7 (FortiProxy version 7.0.8 or above)
  •  Version 2.0.0 through 2.0.11 (Please upgrade to upcoming FortiProxy version 2.0.12 or above)
  •  Version 1.2.0 through 1.2.13
  •  Version 1.1.0 through 1.1.6
  •  Version 1.0.0 through 1.0.7

 

RECOMMENDATIONS

  • Immediately upgrade to the latest patches. However, before upgrading, Fortinet recommends organizations disable the SSL-VPN device. Please refer to this link for steps and procedures: https://community.fortinet.com/t5/FortiGate/Technical-Tip-nbsp-How-to-d…
     
  • Create access rules to limit connections from specific IP addresses.
     
  • Immediately validate systems against the following indicators of compromise by searching for:

    Event Logs either on the FortiGate or the FortiAnalyzer for multiple System level log events containing the following information:

Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received,
Backtrace: […]“
 Fortinet warned that the following file system artifacts would be present on exploited
devices:
 /data/lib/libips.bak
 /data/lib/libgif.so
 /data/lib/libiptcp.so
 /data/lib/libipudp.so
 /data/lib/libjepg.so
 /var/.sslvpnconfigbk
 /data/etc/wxd.conf
 /flash
 Fortinet also shared a list of connections to suspicious IP addresses from FortiGate:
 188.34.130.40:444
 103.131.189.143:30080,30081,30443,20443
 192.36.119.61:8443,444
 172.247.168.153:8033
 139.180.184.197
27 January 2023
01/02/23/079
 66.42.91.32
 158.247.221.101
 107.148.27.117
 139.180.128.142
 155.138.224.122
 185.174.136.20