On December 12, Fortinet reported on a heap-based buffer overflow vulnerability, marked as CVE-2022-42475, in the FortiOS SSL-VPN service. The vulnerability received a critical CVSS score of 9.3
and may allow threat actors remote code execution (RCE) via specifically crafted requests. According to the PSIRT advisory, the vulnerability affecting FortiOS through the SSL VPN service is currently
being exploited in the wild. According to the Fortinet advisory, threat actors have already deployed malicious files on the exploited devices.
Source: FortiOS Flaw Exploited as Zero-Day in Attacks on Government and Organizations (thehackernews.com)
A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting governments and other large organizations."The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week.The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests.
ARTIFACTS AND IN THE WILD EXPLOITATION
According to the Fortinet advisory, the company is aware of an instance where this vulnerability was
exploited in the wild, and recommends immediately validating your systems by looking for the
following:
Multiple log entries with:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received,
Backtrace: [...]“
Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
high traffic in interest both by security researchers and threat actors over multiple darknet forums and Twitter accounts
RECOMMENDATIONS
A quick workaround suggested by Fortinet is to disable SSL-VPN. To fully remediate the vulnerability, it is advised to upgrade the vulnerable software, FortiOS and FortiOS-6K7K according to the following table:
IOCS
IPs:
188[.]34.130.40:444
103[.]131.189.143:30080,30081,30443,20443
192[.]36.119.61:8443,444
172[.]247.168.153:8033
For more on this attack and how to manage similar attacks, contact our managed cybersecurity services team here.
לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...
This video link has expired. Please contact Michelle at [email protected]...