The vulnerability is now tracked as CVE-2022-42475 which has a CVSS score of 9.3 out of 10. This is a heap-based buffer overflow vulnerability in sslvpnd which has been categorized as critical because it is a Pre-Auth Remote Code Execution bug.
The successful exploitation of the bug, allows a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Active Exploitation of New SSL-VPN
Fortinet did mention in its advisory that the company is "aware of an instance where this vulnerability was exploited in the wild", also urging its customers to apply the updates and recommends immediately validating their systems against the following indicators of compromise:
Multiple log entries with:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“and the presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flashThe following products are impacted by the issue -
| Affected Products | Solutions |
|---|---|
| FortiOS version 7.2.0 through 7.2.2 | Please upgrade to FortiOS version 7.2.3 or above |
| FortiOS version 7.0.0 through 7.0.8 | Please upgrade to FortiOS version 7.0.9 or above |
| FortiOS version 6.4.0 through 6.4.10 | Please upgrade to FortiOS version 6.4.11 or above |
| FortiOS version 6.2.0 through 6.2.11 | Please upgrade to FortiOS version 6.2.12 or above |
| FortiOS-6K7K version 7.0.0 through 7.0.7 | Please upgrade to FortiOS-6K7K version 7.0.8 or above |
| FortiOS-6K7K version 6.4.0 through 6.4.9 | Please upgrade to FortiOS-6K7K version 6.4.10 or above |
| FortiOS-6K7K version 6.2.0 through 6.2.11 | Please upgrade to FortiOS-6K7K version 6.2.12 or above |
| Airi Satou | Accountant |
| FortiOS-6K7K version 6.0.0 through 6.0.14 | Please upgrade to FortiOS-6K7K version 6.0.15 or above |
Earlier also Fortinet warned of active exploitation of different critical authentication bypass flaws (CVE-2022-40684) in FortiOS, FortiProxy, and FortiSwitchManager having a CVSS score of 9.6.
Security researcher Will Dormann points out in a tweet that the description of CVE-2022-42475 is still marked as "reserved", even after the fix has been pushed by the vendor.
The CVE entry for CVE-2022-42475 is still "RESERVED".
— Will Dormann (@wdormann) December 12, 2022
Despite some of the fixed FortiOS versions being available a month ago, there was no mention of there being a vulnerability fixed until today it seems. 🤔 https://t.co/xvu6J9lQof pic.twitter.com/Ck2CqcqNhY