Fortinet SSL-VPN Pre-auth RCE bug exploited in Attacks: CVE-2022-42475
Source: Bleeping Computer
Fortinet has recently issued an advisory to customers regarding a vulnerability that is currently being actively exploited on the Internet. The FortiOS SSL-VPN vulnerability can allow attackers to remotely crash devices and potentially perform remote code execution.
The security flaw is tracked as CVE-2022-42475 and is a heap-based buffer overflow bug in FortiOS sslvpnd. Fortinet has quietly fixed the vulnerability on November 28th in FortiOS 7.2.3 but hasn’t disclosed information regarding the bug until now.
Fortinet has urged users to update to the following versions which include the patch for CVE-2022-42475:
• FortiOS version 7.2.3 or above • FortiOS version 7.0.9 or above • FortiOS version 6.4.11 or above • FortiOS version 6.2.12 or above • FortiOS-6K7K version 7.0.8 or above • FortiOS-6K7K version 6.4.10 or above • FortiOS-6K7K version 6.2.12 or above • FortiOS-6K7K version 6.0.15 or above
While Fortinet has not released any information on how the vulnerability is being exploited, they have released several Indicators of Compromise (IOC’s). When the vulnerability is exploited on a Fortinet device, the following entry will be created in the device logs:
• Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“
Fortinet also warned that the following file system artifacts would be present on exploited devices:
If you are unable to apply the patches immediately, Fortinet recommends to disable the VPN-SSL functionality, create access rules to limit connections from specific IP addresses, and monitor device logs for evidence of exploitation.
Our team at Ascend Technologies will be reaching out to clients to schedule an emergency firmware upgrade to any vulnerable managed device. If you have any questions, please reach out to us at: support@teamascend.com