FortiOS SSL-VPN doesn't validate HTTP requests properly, leading to an overflow of heap buffer using specially crafted requests.
"A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests," warns Fortinet in a security advisory.
Unauthenticated attacks could get complete access to the vulnerable server with administrative privileges, making this a critical vulnerability with a CVSS score of 9.3. Holm Security Scanner can find (HID-2-1-5349776 ) whether the vulnerable version is installed in the target IP using an authenticated scan.
What Products Are Vulnerable
Most popular products like FortiGate, FortiGuard, and FortiSASE all run on top of FortiOS, thus, if SSL-VPN is enabled, it makes the product vulnerable to Remote. RCE, the following are the version that is vulnerable FortiOS version:
FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14
There are no public exploits available as of 15-12-2022; however, considering this could be exploited without authentication, automated exploits will be released soon. While Fortinet has not provided any information on how the flaw is being exploited, they shared IOCs related to attacks.
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“
Fortinet warned that the following ﬁle system artifacts would be present on exploited devices:
Fortinet also shared a list of IP addresses seen exploiting the vulnerability, listed below:
As per Twitter sources, This CVE is being actively exploited by ransomware groups.
We will keep you updated as additional information becomes available. Reach out to email@example.com if you have any questions.