fbpx
preloader

FortiOS Flaw Exploited as Zero-Day in Attacks

On December 12, Fortinet reported on a heap-based buffer overflow vulnerability, marked as CVE-2022-42475, in the FortiOS SSL-VPN service. The vulnerability received a critical CVSS score of 9.3
and may allow threat actors remote code execution (RCE) via specifically crafted requests. According to the PSIRT advisory, the vulnerability affecting FortiOS through the SSL VPN service is currently
being exploited in the wild. According to the Fortinet advisory, threat actors have already deployed malicious files on the exploited devices.

Source: FortiOS Flaw Exploited as Zero-Day in Attacks on Government and Organizations (thehackernews.com)

A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting governments and other large organizations."The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week.The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests.

ARTIFACTS AND IN THE WILD EXPLOITATION
According to the Fortinet advisory, the company is aware of an instance where this vulnerability was
exploited in the wild, and recommends immediately validating your systems by looking for the
following:
Multiple log entries with:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received,
Backtrace: [...]“
Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

high traffic in interest both by security researchers and threat actors over multiple darknet forums and Twitter accounts

RECOMMENDATIONS
A quick workaround suggested by Fortinet is to disable SSL-VPN. To fully remediate the vulnerability, it is advised to upgrade the vulnerable software, FortiOS and FortiOS-6K7K according to the following table:

IOCS
IPs:
188[.]34.130.40:444
103[.]131.189.143:30080,30081,30443,20443
192[.]36.119.61:8443,444
172[.]247.168.153:8033

For more on this attack and how to manage similar attacks, contact our managed cybersecurity services team here.

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

תגובה לאירועי אבטחה – Incident Response

לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at [email protected]...

1 2 3 6

Join our newsletter!

x
c
o
n
t
a
c
t

u
s
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram