JPCERT-AT-2022-0032
JPCERT/CC
2022-12-13(Initial)
2022-12-19(Update)
Fortinet
FortiOS - heap-based buffer overflow in sslvpnd
https://www.fortiguard.com/psirt/FG-IR-22-398
Fortinet is aware of an instance where this vulnerability was exploited.The users of the affected products are recommended to take actions such as applying updates, along with the investigation to check the device has not been compromised by the vulnerability as soon as possible, by referring to the information provided by Fortinet.
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS version 6.0.0 through 6.0.15
- FortiOS version 5.6.0 through 5.6.14
- FortiOS version 5.4.0 through 5.4.13
- FortiOS version 5.2.0 through 5.2.15
- FortiOS version 5.0.0 through 5.0.14
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- FortiOS version 6.0.16 or above
- FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
- Device logs indicating an exploit of the vulnerability
- Presence of the artifacts in the filesystem
- Connections to suspicious IP addresses from the FortiGate
The advisory published by Fortinet includes logs that indicate the possibility of exploitation of this vulnerability, as well as file names and IP addresses that are confirmed to be indicators of compromise. As for the details and the latest information, please refer to the advisory published by Fortinet.
Fortinet
FortiOS - heap-based buffer overflow in sslvpnd
https://www.fortiguard.com/psirt/FG-IR-22-398
If you have any information regarding this alert, please contact JPCERT/CC.
2022-12-14 Updated "II. Affected Software" and "IV. Recommended Measures"
2022-12-19 Updated "III. Solution" and "IV. Recommended Measures"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2022-12-13(Initial)
2022-12-19(Update)
I. Overview
On December 12, 2022 (local time), Fortinet released an advisory(FG-IR-22-398) regarding a heap-based buffer overflow vulnerability authentication bypass vulnerability (CVE-2022-42475) in FortiOS.An unauthenticated, remote attacker exploiting the vulnerability may execute arbitrary code or commands via specifically crafted requests.Fortinet
FortiOS - heap-based buffer overflow in sslvpnd
https://www.fortiguard.com/psirt/FG-IR-22-398
Fortinet is aware of an instance where this vulnerability was exploited.The users of the affected products are recommended to take actions such as applying updates, along with the investigation to check the device has not been compromised by the vulnerability as soon as possible, by referring to the information provided by Fortinet.
II. Affected Software
The following products and versions are affected by this vulnerability.- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS version 6.0.0 through 6.0.15
- FortiOS version 5.6.0 through 5.6.14
- FortiOS version 5.4.0 through 5.4.13
- FortiOS version 5.2.0 through 5.2.15
- FortiOS version 5.0.0 through 5.0.14
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Update: December 14, 2022 Update
On December 13, 2022 (local time), the Fortinet advisory has been updated. Versions 6.0.x and 5.x have been added as affected products.The above list has been updated accordingly.
III. Solution
Fortinet has provided versions that addressed the vulnerability.Please consider updating to the versions by referring to the information provided by Fortinet.- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- FortiOS version 6.0.16 or above
- FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
Update: December 19, 2022 Update
The Fortinet advisory has been updated and the information about the versions 6.0.x is added. The above list has been updated accordingly.For the latest information, please refer to the Fortinet advisory.
IV. Recommended Measures
Fortinet is aware of an instance where this vulnerability was exploited,and recommends the users of the affected products to validate the system to investigate if the system has not been compromised by checking the followings:- Device logs indicating an exploit of the vulnerability
- Presence of the artifacts in the filesystem
- Connections to suspicious IP addresses from the FortiGate
The advisory published by Fortinet includes logs that indicate the possibility of exploitation of this vulnerability, as well as file names and IP addresses that are confirmed to be indicators of compromise. As for the details and the latest information, please refer to the advisory published by Fortinet.
Update: December 14, 2022 Update
On December 13, 2022 (local time), the Fortinet advisory has been updated. Disabling SSL-VPN has been added as workarounds.
Update: December 19, 2022 Update
Fortinet Community
Technical Tip: [Critical vulnerability] Protect against heap-based buffer overflow in sslvpnd
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
Technical Tip: [Critical vulnerability] Protect against heap-based buffer overflow in sslvpnd
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
V. References
Fortinet
FortiOS - heap-based buffer overflow in sslvpnd
https://www.fortiguard.com/psirt/FG-IR-22-398
If you have any information regarding this alert, please contact JPCERT/CC.
Revision History
2022-12-13 First edition2022-12-14 Updated "II. Affected Software" and "IV. Recommended Measures"
2022-12-19 Updated "III. Solution" and "IV. Recommended Measures"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/