A security update for a vulnerability in Fortinet was released on December 12, 2022. Cybersecurity and Infrastructure Security Agency (CISA) mentioned in its advisory that the critical severity vulnerability CVE-2022-42475 was exploited in the wild.
The heap-based buffer overflow flaw in FortiOS could allow a remote unauthenticated attacker to launch arbitrary code on a targeted system.
The vulnerability CVE-2022-42475 had a CVSSv3 score of 9.3, making it a critical vulnerability that needed an immediate patch. FortiGuard Labs published a post detailing this flaw that impacted several of its products
Details of the vulnerability CVE-2022-42475
The flaw would have allowed hackers to execute unauthorized code or commands leading to opening a backdoor to exfiltrate stolen data such as passwords, files, system information, etc.
They could have launched other attacks, injected malicious codes into the system, and turned off security protections to evade detection.
The IR number of this flaw in FortiOS SSL-VPN was FG-IR-22-398, according to Fortinet’s PSIRT. Fortinet mentioned in its advisory that it is aware of the exploitation of this bug and asked users to validate these indicators of compromise.
However, the victims that were hacked or exploited were not noted in the advisory. There was also no mention of the action taken to alert the users.
Presence of the following artifacts in the filesystem:
- /data/lib/libips.bak
- /data/lib/libgif.so
- /data/lib/libiptcp.so
- /data/lib/libipudp.so
- /data/lib/libjepg.so
- /var/.sslvpnconfigbk
- /data/etc/wxd.conf
- /flash
Suspicious IP addresses from the FortiGate:
- 34.130.40:444
- 131.189.143:30080,30081,30443,20443
- 36.119.61:8443,444
- 247.168.153:8033
The names of the patches for the overflow vulnerability [CWE-122] are as follows:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Fortinet is an American multinational cooperation with its headquarters in California. It offers cybersecurity solutions, including antivirus software, intrusion prevention systems, endpoint security, physical firewalls, etc.