On December 12, Fortinet reported on a heap-based buffer overflow vulnerability, marked as CVE-2022-42475, in the FortiOS SSL-VPN service. The vulnerability received a critical CVSS score of 9.3
and may allow threat actors remote code execution (RCE) via specifically crafted requests. According to the PSIRT advisory, the vulnerability affecting FortiOS through the SSL VPN service is currently
being exploited in the wild. According to the Fortinet advisory, threat actors have already deployed malicious files on the exploited devices.
A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting governments and other large organizations."The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week.The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests.
ARTIFACTS AND IN THE WILD EXPLOITATION
According to the Fortinet advisory, the company is aware of an instance where this vulnerability was
exploited in the wild, and recommends immediately validating your systems by looking for the
Multiple log entries with:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received,
Presence of the following artifacts in the filesystem:
high traffic in interest both by security researchers and threat actors over multiple darknet forums and Twitter accounts
A quick workaround suggested by Fortinet is to disable SSL-VPN. To fully remediate the vulnerability, it is advised to upgrade the vulnerable software, FortiOS and FortiOS-6K7K according to the following table:
For more on this attack and how to manage similar attacks, contact our managed cybersecurity services team here.
לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...
Aruba has informed us about a new security advisory for...
This video link has expired. Please contact Michelle at [email protected]...