Blog Post Resource December 14, 2022

New Fortinet FortiOS SSL VPN Exploit Observed in the Wild

New Fortinet FortiOS SSL VPN Exploit

FortiOS Vulnerability

On December 12th, 2022, Fortinet issued a PSIRT Advisory (FG-IR-18-384)¹ for CVE-2022-42475², which identifies a heap-based buffer overflow vulnerability in the sslvpnd service leaving affected systems vulnerable to exploitation. sslvpnd is responsible for providing SSL-based VPN functionality in FortiOS devices and, if exploited, may allow for remote code execution by unauthenticated attackers on the FortiOS device.

Affected versions include devices with:

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS version 6.0.0 through 6.0.15
  • FortiOS version 5.6.0 through 5.6.14
  • FortiOS version 5.4.0 through 5.4.13
  • FortiOS version 5.2.0 through 5.2.15
  • FortiOS version 5.0.0 through 5.0.14
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

This vulnerability has been observed being exploited in the wild since before the release of the PSIRT Advisory and patch availability. Therefore, Fortinet recommends that administrators immediately validate their system by checking the following indicators:

Exploit Log Artifacts

Successfully leveraging this exploit results in a crash of the sslvpnd daemon, which can be observed in device logs as:

Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Exploit System Artifacts

The presence of the following artifacts may indicate that a FortiOS device has been exploited:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Known Associated Malicious Infrastructure

The following IP Addresses and Ports have been observed using the exploit against potential victims:

  • 188.34.130.40:444
  • 103.131.189.143:30080,30081,30443,20443
  • 192.36.119.61:8443,444
  • 172.247.168.153:8033

Adlumin Response

To ensure the continued protection of our customers, Adlumin’s Threat Research group reviewed stored data for evidence of exploitation of the vulnerability. To search for Indicators of Compromise (IOC), Threat Research used Adlumin’s MDR capabilities, allowing for centralized-logging and querying of data across multiple security relevant devices and platforms.

By searching Firewall and Network Device events, Adlumin was able to observe multiple instances of attempted attacker exploitation of potentially vulnerable FortiOS devices. Proper security practices and configuration resulted in over 96% of the attempted connections being blocked. Adlumin’s Threat Research group also investigated completed connections to identify if exploitation was successfully conducted from the attacker IPs. We notified customers where appropriate to help remediate systems and defend their network.

Adlumin’s Threat Research group also searched for evidence of sslvpnd application crashes on the devices. Observation of logs associated with sslvpnd crashes is a good first indicator that a device was exploited. While we observed crashes for other VPN services, no sslvpnd crashes were found.

Recommendations

Adlumin recommends that all customers using Fortinet FortiOS products immediately update their systems to the latest patched versions, which fixes the current vulnerability:

  • Please upgrade to FortiOS version 7.2.3 or above
  • Please upgrade to FortiOS version 7.0.9 or above
  • Please upgrade to FortiOS version 6.4.11 or above
  • Please upgrade to FortiOS version 6.2.12 or above
  • Please upgrade to upcoming FortiOS-6K7K version 7.0.8 or above
  • Please upgrade to FortiOS-6K7K version 6.4.10 or above
  • Please upgrade to upcoming FortiOS-6K7K version 6.2.12 or above
  • Please upgrade to FortiOS-6K7K version 6.0.15 or above

Adlumin’s Continuous Vulnerability Management (CVM) solution can help your business manage the CVM Lifecycle, including Patch Management. Implementing automated and best CVM practices can help minimize the gap between exploitation capability detection and system defense.

Alternative

If users are unable to patch affected devices, disabling the SSL VPN service should shield the device from exploitation. Migration to other unaffected VPN services, such as IPSEC is also possible.

Resources

  1. Fortinet, PSIRT Advisories – FortiOS – heap-based buffer overflow in sslvpnd https://www.fortiguard.com/psirt/FG-IR-22-398
  2. MITRE, CVE Record – CVE-2022-42475. https://www.cve.org/CVERecord?id=CVE-2022-42475