Share This:

Today, Fortinet disclosed information regarding a vulnerability that allows a remote attacker to execute code without authentication. The vulnerability, tracked as CVE-2022-42475, has a severity score of 9.3. Fortinet mentioned that they are aware of an instance where it has been exploited in the wild. Barracuda MSP recommends patching affected FortiOS products as soon as possible to address this vulnerability.

What is the threat?

A heap-based buffer overflow vulnerability exists in multiple FortiOS versions. The issue specifically relates to the SSL-VPN functionality (sslvpnd). This vulnerability allows a malicious actor to execute code without authentication.  

Why is it noteworthy?

The FortiOS interfaces with the Fortigate firewall which is used by businesses for network security. Any out-of-date appliance with the SSL-VPN feature enabled is currently unprotected against this vulnerability, allowing malicious actors to gain access to the system without authentication and to take advantage of this security flaw, hence the Critical severity score of 9.3.

Fortinet has had other vulnerabilities in the recent months, such as the publicly exploited remote authentication bypass, CVE-2022-40684.

What is the exposure or risk?

When exploited, this vulnerability could lead to unauthorized code execution via specially crafted requests. Malicious code or commands can be executed and allow a malicious actor to take over a system.

The following FortiOS versions are vulnerable:

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

What are the recommendations?

Barracuda MSP recommends the following actions to limit the impact of a remote code execution attack:  

  • Update to the latest FortiOS version as soon as possible. The latest versions of FortiOS remediate this vulnerability.
  • If you are unable to apply the updates, disable the SSL-VPN functionality.
  • Additionally, our Security Operations Center is actively conducting threat hunting in an effort to identify any potential compromises. Furthermore, our security engineers are enabling new detection rules within the Barracuda XDR platform to proactively monitor for indicators of compromise associated with this vulnerability.
  • Details on IOCs that are related to known exploitation attempts:
    • When the vulnerability is exploited, it will generate log entries with:
      • Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]
    • Be on the lookout for the following artifacts in the filesystem:
      • /data/lib/libips.bak
      • /data/lib/libgif.so
      • /data/lib/libiptcp.so
      • /data/lib/libipudp.so
      • /data/lib/libjepg.so
      • /var/.sslvpnconfigbk
      • /data/etc/wxd.conf
      • /flash
    • Block connections to suspicious IP addresses from the FortiGate:
      • 188.34.130.40:444
      • 103.131.189.143:30080,30081,30443,20443
      • 192.36.119.61:8443,444
      • 172.247.168.153:8033

References

For more in-depth information about the recommendations, please visit the following links: 

If you have any questions, please contact our Security Operations Center.


Share This:
Walker Wiley

Posted by Walker Wiley

Walker is a Cybersecurity Analyst at Barracuda MSP. He's a security expert, working on our Blue Team within our Security Operations Center. Walker supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *