Blog | Holm Security

Security Announcement: Critical Vulnerability in FortiOS

Written by Erik Torlén | Dec 16, 2022 12:36:24 PM

Overview

FortiOS SSL-VPN doesn't validate HTTP requests properly, leading to an overflow of heap buffer using specially crafted requests.

"A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests," warns Fortinet in a security advisory.

Unauthenticated attacks could get complete access to the vulnerable server with administrative privileges, making this a critical vulnerability with a CVSS score of 9.3. Holm Security Scanner can find (HID-2-1-5349776 ) whether the vulnerable version is installed in the target IP using an authenticated scan.

What Products Are Vulnerable

Most popular products like FortiGate, FortiGuard, and FortiSASE all run on top of FortiOS, thus, if SSL-VPN is enabled, it makes the product vulnerable to Remote. RCE, the following are the version that is vulnerable FortiOS version:

FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14

There are no public exploits available as of 15-12-2022; however, considering this could be exploited without authentication,  automated exploits will be released soon. While Fortinet has not provided any information on how the flaw is being exploited, they shared IOCs related to attacks.

Logdesc="Application crashed" and msg="[...]  application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“ 

Fortinet warned that the following file system artifacts would be present on exploited devices:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Fortinet also shared a list of IP addresses seen exploiting the vulnerability, listed below:

  • 188.34.130.40:444 
  • 103.131.189.143:30080,30081,30443,20443
  • 192.36.119.61:8443,444
  • 172.247.168.153:8033 

As per Twitter sources, This CVE is being actively exploited by ransomware groups. 

We will keep you updated as additional information becomes available. Reach out to support@holmsecurity.com if you have any questions.