A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The severity of this vulnerability is considered to be critical with a maximum CVSSv3 base score of 9.3/10.
The security vulnerability is caused by a Heap-based Buffer Overflow affecting the “”sslvpnd daemon”” component. An unauthenticated, remote threat actor can manipulate the SSL-VPN component through specially crafted data, triggering a stack-based buffer overflow and executing arbitrary code on the targeted system.
Our SOC team are currently investigating the public exploitation of this vulnerability (CVE-2022-42475) and are validating your systems against the following indicators of compromise:
Multiple log entries with:
Logdesc=””Application crashed”” and msg=””[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Presence of the following artefacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Connections to suspicious IP addresses from the FortiGate:
188.34.130.40:444
103.131.189.143:30080, 30081, 30443, 20443
192.36.119.61:8443, 444
172.247.168.153:8033
Mitigation steps
Validate against these:
Multiple log entries with:
Logdesc=””Application crashed”” and msg=””[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Presence of the following artefacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Connections to suspicious IP addresses from the FortiGate:
188.34.130.40:444
103.131.189.143:30080, 30081, 30443, 20443
192.36.119.61:8443, 444
172.247.168.153:8033
Fortinet has announced the following affected products:
FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14
Fortinet’s advisory notes that these versions should be updated to the following, respectively:
FortiOS version 7.2.3 or above
FortiOS version 7.0.9 or above
FortiOS version 6.4.11 or above
FortiOS version 6.2.12 or above
FortiOS-6K7K version 7.0.8 or above
FortiOS-6K7K version 6.4.10 or above
FortiOS-6K7K version 6.2.12 or above
FortiOS-6K7K version 6.0.15 or above
Get support now
This is an ongoing event and we are continuing to track the developments. If you have any questions or need support, please contact our IT service desk on 01904 562207 or email [email protected].
