en
en Global
fr-be Belgium
da Denmark
fi Finland
de-de Germany
en-my Malaysia
nl Netherlands
no Norway
poland Poland
sv Sweden
en-gb UK
Free Trial
Back to all posts
Hacker attacks & exploits

Critical Vulnerability in FortiOS

Fortinet has patched a zero-day buffer overflow in FortiOS that could lead to remote code execution. There has been a report of active exploitation and organizations should patch it urgently. 
Erik Torlén Erik Torlén December 16, 2022
Critical Vulnerability in FortiOS

Overview

FortiOS SSL-VPN doesn't validate HTTP requests properly, leading to an overflow of heap buffer using specially crafted requests.

"A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests," warns Fortinet in a security advisory.

Unauthenticated attacks could get complete access to the vulnerable server with administrative privileges, making this a critical vulnerability with a CVSS score of 9.3. Holm Security Scanner can find (HID-2-1-5349776 ) whether the vulnerable version is installed in the target IP using an authenticated scan.

What Products Are Vulnerable

Most popular products like FortiGate, FortiGuard, and FortiSASE all run on top of FortiOS, thus, if SSL-VPN is enabled, it makes the product vulnerable to Remote. RCE, the following are the version that is vulnerable FortiOS version:

FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14

There are no public exploits available as of 15-12-2022; however, considering this could be exploited without authentication,  automated exploits will be released soon. While Fortinet has not provided any information on how the flaw is being exploited, they shared IOCs related to attacks.

Logdesc="Application crashed" and msg="[...]  application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“ 

Fortinet warned that the following file system artifacts would be present on exploited devices:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Fortinet also shared a list of IP addresses seen exploiting the vulnerability, listed below:

  • 188.34.130.40:444 
  • 103.131.189.143:30080,30081,30443,20443
  • 192.36.119.61:8443,444
  • 172.247.168.153:8033 

As per Twitter sources, This CVE is being actively exploited by ransomware groups. 

We will keep you updated as additional information becomes available. Reach out to support@holmsecurity.com if you have any questions.
Erik Torlén

Erik Torlén

Erik has over ten years of experience scaling enterprise businesses and technology for a global audience. Erik has previously worked as CTO at Apica.

Follow me on LinkedIn

Latest articles

Browse all posts