{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-086.pdf"
    },
    "title": "Remote Code Execution Vulnerability in FortiOS SSL-VPN",
    "serial_number": "2022-086",
    "publish_date": "13-12-2022 12:50:00",
    "description": "On December 12, 2022, Fortinet released an advisory concerning a heap-based buffer overflow critical vulnerability in FortiOS SSL-VPN that could allow may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. This vulnerability CVE-2022-42475 has the CVSS score of 9.3.<br>Fortinet is aware of one instance where this vulnerability was exploited in the wild. They do not believe this to be trivial to exploit, however they are advising customers using SSL-VPN to upgrade immediately.",
    "url_title": "2022-086",
    "content_markdown": "---\ntitle: 'Remote Code Execution Vulnerability in FortiOS SSL-VPN'\nversion: '1.0'\nnumber: '2022-086'\noriginal_date: 'December 12, 2022'\ndate: 'December 13, 2022'\n---\n\n_History:_\n\n* _13/12/2022 --- v1.0 -- Initial publication_\n  \n# Summary\n\nOn December 12, 2022, Fortinet released an advisory concerning a heap-based buffer overflow critical vulnerability in FortiOS SSL-VPN that could allow may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. This vulnerability CVE-2022-42475 has the CVSS score of 9.3.  \n\nFortinet is aware of one instance where this vulnerability was exploited in the wild. They do not believe this to be trivial to exploit, however they are advising customers using SSL-VPN to upgrade immediately.\n\n# Technical Details\n\nBy exploiting this vulnerability `CVE-2022-42475` an attacker could manipulate the dynamic memory space of the process to such an extent that adjacent chunks may be corrupted to hijack its flow of execution.\n\n# Affected Products\n\nThe following products are affected [1]:\n\n- FortiOS version 7.2.0 through 7.2.2\n- FortiOS version 7.0.0 through 7.0.8\n- FortiOS version 6.4.0 through 6.4.10\n- FortiOS version 6.2.0 through 6.2.11\n- FortiOS-6K7K version 7.0.0 through 7.0.7\n- FortiOS-6K7K version 6.4.0 through 6.4.9\n- FortiOS-6K7K version 6.2.0 through 6.2.11\n- FortiOS-6K7K version 6.0.0 through 6.0.14\n\n# Recommendations\n\nUpgrade to:\n\n- FortiOS version 7.2.3 or above\n- FortiOS version 7.0.9 or above\n- FortiOS version 6.4.11 or above\n- FortiOS version 6.2.12 or above\n- FortiOS-6K7K version 7.0.8 or above\n- FortiOS-6K7K version 6.4.10 or above\n- FortiOS-6K7K version 6.2.12 or above\n- FortiOS-6K7K version 6.0.15 or above\n\nCheck your systems if there are multiple log entries with:\n\n```\nLogdesc=\"Application crashed\" and msg=\"[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]\u201c\n```\n\nCheck the presence of the following artefacts in the filesystem:\n\n- `/data/lib/libips.bak`\n- `/data/lib/libgif.so`\n- `/data/lib/libiptcp.so`\n- `/data/lib/libipudp.so`\n- `/data/lib/libjepg.so`\n- `/var/.sslvpnconfigbk`\n- `/data/etc/wxd.conf`\n- `/flash`\n\nCheck for any connections to suspicious IP addresses from the FortiGate:\n\n- `188.34.130.40:444`\n- `103.131.189.143:30080`,`30081`,`30443`,`20443`\n- `192.36.119.61:8443`,`444`\n- `172.247.168.153:8033`\n\n# Workaround:\n\nDisable SSLVPN until the upgrade can be performed.\n\n# References\n\n[1] <https://www.fortiguard.com/psirt/FG-IR-22-398>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>13/12/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 12, 2022, Fortinet released an advisory concerning a heap-based buffer overflow critical vulnerability in FortiOS SSL-VPN that could allow may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. This vulnerability CVE-2022-42475 has the CVSS score of 9.3. </p><p>Fortinet is aware of one instance where this vulnerability was exploited in the wild. They do not believe this to be trivial to exploit, however they are advising customers using SSL-VPN to upgrade immediately.</p><h2 id=\"technical-details\">Technical Details</h2><p>By exploiting this vulnerability <code>CVE-2022-42475</code> an attacker could manipulate the dynamic memory space of the process to such an extent that adjacent chunks may be corrupted to hijack its flow of execution.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following products are affected [1]:</p><ul><li>FortiOS version 7.2.0 through 7.2.2</li><li>FortiOS version 7.0.0 through 7.0.8</li><li>FortiOS version 6.4.0 through 6.4.10</li><li>FortiOS version 6.2.0 through 6.2.11</li><li>FortiOS-6K7K version 7.0.0 through 7.0.7</li><li>FortiOS-6K7K version 6.4.0 through 6.4.9</li><li>FortiOS-6K7K version 6.2.0 through 6.2.11</li><li>FortiOS-6K7K version 6.0.0 through 6.0.14</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Upgrade to:</p><ul><li>FortiOS version 7.2.3 or above</li><li>FortiOS version 7.0.9 or above</li><li>FortiOS version 6.4.11 or above</li><li>FortiOS version 6.2.12 or above</li><li>FortiOS-6K7K version 7.0.8 or above</li><li>FortiOS-6K7K version 6.4.10 or above</li><li>FortiOS-6K7K version 6.2.12 or above</li><li>FortiOS-6K7K version 6.0.15 or above</li></ul><p>Check your systems if there are multiple log entries with:</p><pre><code>Logdesc=\"Application crashed\" and msg=\"[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]\u201c\n</code></pre><p>Check the presence of the following artefacts in the filesystem:</p><ul><li><code>/data/lib/libips.bak</code></li><li><code>/data/lib/libgif.so</code></li><li><code>/data/lib/libiptcp.so</code></li><li><code>/data/lib/libipudp.so</code></li><li><code>/data/lib/libjepg.so</code></li><li><code>/var/.sslvpnconfigbk</code></li><li><code>/data/etc/wxd.conf</code></li><li><code>/flash</code></li></ul><p>Check for any connections to suspicious IP addresses from the FortiGate:</p><ul><li><code>188.34.130.40:444</code></li><li><code>103.131.189.143:30080</code>,<code>30081</code>,<code>30443</code>,<code>20443</code></li><li><code>192.36.119.61:8443</code>,<code>444</code></li><li><code>172.247.168.153:8033</code></li></ul><h2 id=\"workaround\">Workaround:</h2><p>Disable SSLVPN until the upgrade can be performed.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-22-398\">https://www.fortiguard.com/psirt/FG-IR-22-398</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}