CVE-2022-42475: Actively Exploited Vulnerability Found in Fortinet FortiOS

CVE-2022-42475

Fortinet on Monday informed customers about a critical vulnerability discovered in its FortiOS product, that has been exploited in the wild.

This CVE has been assigned a “critical” severity rating. The flaw tracked as CVE-2022-42475 (CVSS score: 9.3), affects FortiOS SSL-VPN and allows an attacker could overflow a buffer and execute arbitrary code on the system due to improper bounds checking by the SSL-VPN.

CVE-2022-42475

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests,warns Fortinet in a security advisory.

“Fortinet is aware of an instance where this vulnerability was exploited in the wild,” the company notes.

The flaw affects the following versions

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

Fortinet has been patched CVE-2022-42475 in FortiOS versions 7.2.3, 7.0.9, 6.4.11, 6.2.12, 7.0.8, 6.4.10, 6.2.12 and 6.0.15. The company has recommended customers immediately update their products due to attackers being able to remotely exploit the vulnerability.

The company shared artifacts and connections to suspicious IP addresses that can help defenders hunt for infections.

  • 188.34.130.40:444
  • 103.131.189.143:30080,30081,30443,20443
  • 192.36.119.61:8443,444
  • 172.247.168.153:8033

Presence of the following artifacts in the filesystem:

  • /data/lib/libips.bak
  • /data/lib/libgif.so
  • /data/lib/libiptcp.so
  • /data/lib/libipudp.so
  • /data/lib/libjepg.so
  • /var/.sslvpnconfigbk
  • /data/etc/wxd.conf
  • /flash

Also, IOCs related to attacks were issued. You will see the following entries in the logs if an attacker exploited this vulnerability:

Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“