WARNING: Critical Authentication Bypass Vulnerability in Fortinet SSL VPN
CVE-2022-42475
CVSS score: 9.3
Sources
https://www.fortiguard.com/psirt/FG-IR-22-398
Risques
A new critical flaw affects Fortigate’s firewalls SSL VPN features.
The attack does not require any user interaction and can be executed remotely to lead to the full takeover of the vulnerable devices. The impact to confidentiality, integrity and availability is high.
This vulnerability is being actively exploited in the wild by threat actors.
In case of an intrusion, you can report the incident via: https://cert.be/en/report-incident
Description
This vulnerability can be easily exploited.
A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Actions recommandées
Upgrade
The CCB strongly encourages organisations to ensure they upgrade their systems to:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- upcoming FortiOS version 6.0.16 or above
- upcoming FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- upcoming FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
Mitigation/workaround
- Disable the VPN-SSL feature if it is not essential.
- Look at your logs and check that no unauthorized access has been made.
- Set up conditional access rules (like GeoIP) to limit your exposure vector.
Monitoring/Detection
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
Monitor the presence of the following logs on your firewall:
Logdesc="Application crashed" and msg="[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Références
https://olympecyberdefense.fr/vpn-ssl-fortigate/
https://www.tenable.com/blog/cve-2022-42475-fortinet-patches-zero-day-in-fortios-ssl-vpns
https://thehackernews.com/2022/12/fortinet-warns-of-active-exploitation.html
https://research.kudelskisecurity.com/2022/12/12/bulletin-critical-severity-buffer-overflow-0-day-vulnerability-in-fortinet-ssl-vpn-under-active-exploitation-cve-2022-42475/