JPCERT-AT-2022-0032 JPCERT/CC 2022-12-13(Initial) 2022-12-19(Update) <<< JPCERT/CC Alert 2022-12-13 >>> Alert Regarding Heap-based Buffer Overflow Vulnerability (CVE-2022-42475) in FortiOS https://www.jpcert.or.jp/english/at/2022/at220032.html I. Overview On December 12, 2022 (local time), Fortinet released an advisory (FG-IR-22-398) regarding a heap-based buffer overflow vulnerability authentication bypass vulnerability (CVE-2022-42475) in FortiOS. An unauthenticated, remote attacker exploiting the vulnerability may execute arbitrary code or commands via specifically crafted requests. Fortinet FortiOS - heap-based buffer overflow in sslvpnd https://www.fortiguard.com/psirt/FG-IR-22-398 Fortinet is aware of an instance where this vulnerability was exploited. The users of the affected products are recommended to take actions such as applying updates, along with the investigation to check the device has not been compromised by the vulnerability as soon as possible, by referring to the information provided by Fortinet. II. Affected Software The following products and versions are affected by this vulnerability. - FortiOS version 7.2.0 through 7.2.2 - FortiOS version 7.0.0 through 7.0.8 - FortiOS version 6.4.0 through 6.4.10 - FortiOS version 6.2.0 through 6.2.11 - FortiOS version 6.0.0 through 6.0.15 - FortiOS version 5.6.0 through 5.6.14 - FortiOS version 5.4.0 through 5.4.13 - FortiOS version 5.2.0 through 5.2.15 - FortiOS version 5.0.0 through 5.0.14 - FortiOS-6K7K version 7.0.0 through 7.0.7 - FortiOS-6K7K version 6.4.0 through 6.4.9 - FortiOS-6K7K version 6.2.0 through 6.2.11 - FortiOS-6K7K version 6.0.0 through 6.0.14 ** Update: December 14, 2022 Update ********************************* On December 13, 2022 (local time), the Fortinet advisory has been updated. Versions 6.0.x and 5.x have been added as affected products. The above list has been updated accordingly. ********************************************************************* III. Solution Fortinet has provided versions that addressed the vulnerability. Please consider updating to the versions by referring to the information provided by Fortinet. - FortiOS version 7.2.3 or above - FortiOS version 7.0.9 or above - FortiOS version 6.4.11 or above - FortiOS version 6.2.12 or above - FortiOS version 6.0.16 or above - FortiOS-6K7K version 7.0.8 or above - FortiOS-6K7K version 6.4.10 or above - FortiOS-6K7K version 6.2.12 or above - FortiOS-6K7K version 6.0.15 or above ** Update: December 19, 2022 Update ********************************* The Fortinet advisory has been updated and the information about the versions 6.0.x is added. The above list has been updated accordingly. For the latest information, please refer to the Fortinet advisory. ********************************************************************* IV. Recommended Measures Fortinet is aware of an instance where this vulnerability was exploited, and recommends the users of the affected products to validate the system to investigate if the system has not been compromised by checking the followings: - Device logs indicating an exploit of the vulnerability - Presence of the artifacts in the filesystem - Connections to suspicious IP addresses from the FortiGate The advisory published by Fortinet includes logs that indicate the possibility of exploitation of this vulnerability, as well as file names and IP addresses that are confirmed to be indicators of compromise. As for the details and the latest information, please refer to the advisory published by Fortinet. ** Update: December 14, 2022 Update ********************************* On December 13, 2022 (local time), the Fortinet advisory has been updated. Disabling SSL-VPN has been added as workarounds. ********************************************************************* ** Update: December 19, 2022 Update ********************************* Fortinet Community Technical Tip: [Critical vulnerability] Protect against heap-based buffer overflow in sslvpnd https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 ********************************************************************* V. References Fortinet FortiOS - heap-based buffer overflow in sslvpnd https://www.fortiguard.com/psirt/FG-IR-22-398 If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2022-12-13 First edition 2022-12-14 Updated "II. Affected Software" and "IV. Recommended Measures" 2022-12-19 Updated "III. Solution" and "IV. Recommended Measures" ====================================================================== JPCERT Coordination Center (Early Warning Group) MAIL: ew-info@jpcert.or.jp https://www.jpcert.or.jp/english/