On December 12th, Fortinet, one of the foremost players in the firewall, AV, intrusion prevention systems, and endpoint security ecosystem, announced the discovery of CVE-2022-42475. This is a heap-based buffer overflow bug in their FortiOS SSL-VPN which could enable remote code execution (RCE) on devices running the provider’s VPN, which is often used by organizations to grant users remote network access. According to Fortinet’s Fortiguard PSIRT Advisory, this vulnerability “may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests”.
Attackers Can Get “Full Control”
The vulnerability was initially discovered by French security company Olympe Cyber Defense, and disclosed to Fortinet on December 9th. On their blog, Olympe implored users to continually monitor their logs until the patch had been released. With a CVSS score of 9.3 and CRITICAL, this flaw is easy to exploit and could allow an attacker to get “full control”. They continue and state (translating from French), “An attacker can perform: Manipulation of the dynamic resources of certain processes to the point of diverting their operations”.
And in fact, Fortinet is reporting that it has already been exploited in the wild. According to the same advisory, “Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise:
Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]”
Fortinet hasn’t released any other details on what may have already occurred in the wild as of yet. But posting on Mastodon, the social media platform many security professionals have pivoted to recently, researcher Kevin Beaumont posits that an unknown and fast-moving ransomware group was the first to leverage the vulnerability.
Here is a list of products that are affected:
FortiOS version 7.2.0 – 7.2.2
FortiOS version 7.0.0 – 7.0.8
FortiOS version 6.4.0 – 6.4.10
FortiOS version 6.2.0 – 6.2.11
FortiOS-6K7K version 7.0.0 – 7.0.7
FortiOS-6K7K version 6.4.0 – 6.4.9
FortiOS-6K7K version 6.2.0 – 6.2.11
FortiOS-6K7K version 6.0.0 – 6.0.14
So What Can You Do?
Well, first of all, Fortinet has released a patch to fix the vulnerability. If you are using any of the affected products listed above, go and patch immediately if you haven’t already done so. If for whatever reason you cannot patch, you can disable SSL-VPN.
And if you are an XM Cyber customer, to measure the impact of the vulnerability, you can create a scenario that starts from machines in the same IP subnet, towards your critical assets. XM Cyber’s Attack Path Management enables the prioritization and remediation of choke points leading from the possible CVE-2022-42475 exploits to your critical assets, breaking the potential attack vector. This means that XM Cyber customers can see the attack before it happens and cut off attack paths at key junctures and remove the risk with vastly reduced effort and resources.