Flash Notices

Flash Notice: Critical Fortinet Zero-Day Vulnerability Exploited in the Wild

Written by Marketing | Dec 13, 2022 8:29:28 PM

overview

A critical zero-day vulnerability was found in multiple versions of Fortinet’s FortiOS SSL-VPN. CVE-2022-42475 was given a 9.3 on the common vulnerability scoring system and has been exploited in the wild at least once.  

CVE-2022-42475 is a heap-based overflow flaw that could allow a remote unauthenticated attacker to execute arbitrary code. According to TechTarget’s sister publication, Le Mag IT, the vulnerability is easy to exploit, and attackers could gain full control of vulnerable devices. For years, Fortinet SSL-VPN vulnerabilities have been a target for threat actors and nation state actors are known to exploit legacy Fortinet SSL-VPN vulnerabilities.  

Fortinet released an advisory regarding the vulnerability and stated that the bug impacts the following products:  

  • FortiOS version 7.2.0 through 7.2.2 
  • FortiOS version 7.0.0 through 7.0.8 
  • FortiOS version 6.4.0 through 6.4.10 
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS version 6.0.0 through 6.0.15
  • FortiOS version 5.6.0 through 5.6.14 
  • FortiOS version 5.4.0 through 5.4.13 
  • FortiOS version 5.2.0 through 5.2.15 
  • FortiOS version 5.0.0 through 5.0.14
  • FortiOS-6K7K version 7.0.0 through 7.0.7 
  • FortiOS-6K7K version 6.4.0 through 6.4.9 
  • FortiOS-6K7K version 6.2.0 through 6.2.11 
  • FortiOS-6K7K version 6.0.0 through 6.0.14 

Attacks on vulnerable VPNs continue to escalate with several government warnings issued since 2020 when remote work increased. Fortinet has released patches for CVE-2022-42475 and it is recommended that organizations update their devices immediately.  

 

 

How Avertium is Protecting Our CUSTOMERS

  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack. 
  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap. 



 

Avertium's recommendations    

    • Please upgrade to FortiOS version 7.2.3 or above 
    • Please upgrade to FortiOS version 7.0.9 or above
    • Please upgrade to FortiOS version 6.4.11 or above 
    • Please upgrade to FortiOS version 6.2.12 or above 
    • Please upgrade to upcoming FortiOS-6K7K version 7.0.8 or above 
    • Please upgrade to FortiOS-6K7K version 6.4.10 or above 
    • Please upgrade to upcoming FortiOS-6K7K version 6.2.12 or above 
    • Please upgrade to FortiOS-6K7K version 6.0.15 or above 
  • Avertium recommends the following workaround if you are unable to immediately patch your devices:  
    • Disable SSL-VPN. 


 

INDICATORS OF COMPROMISE (IOCS):

Fortinet recommends immediately validating your systems against the following indicators of compromise: 

  • Multiple log entries with: 
    • Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“ 
  • Presence of the following artifacts in the filesystem: 
    • /data/lib/libips.bak 
    • /data/lib/libgif.so 
    • /data/lib/libiptcp.so 
    • /data/lib/libipudp.so 
    • /data/lib/libjepg.so 
    • /var/.sslvpnconfigbk 
    • /data/etc/wxd.conf 
    • /flash 
  • Connections to suspicious IP addresses from the FortiGate: 
    • 188[.]34[.]130[.]40[:]444 
    • 103[.]131[.]189[.]143[:]30080,30081,30443,20443 
    • 192[.]36[.]119[.]61[:]8443,444 
    • 172[.]247[.]168[.]153[:]8033 

 

 

SUPPORTING DOCUMENTATION

PSIRT Advisories | FortiGuard 

Fortinet confirms VPN vulnerability exploited in the wild | TechTarget 

Fortinet urges customers to fix actively exploited FortiOS SSL-VPN bugSecurity Affairs 

 

 

 

 

 

Related Resource:  2023 Cybersecurity Landscape: 8 Lessons for Cybersecurity Professionals