3 min read

Critical Vulnerability Alert: CVE-2022-42475 in FortiOS and FortiProxy SSL-VPN Exploited by APT Groups

Executive Summary

CVE-2022-42475 is a critical heap-based buffer overflow vulnerability identified in FortiOS SSL-VPN and FortiProxy SSL-VPN software. This vulnerability allows a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The vulnerability affects multiple versions of FortiOS and FortiProxy, making it a significant threat to organizations using these products. The sectors and countries targeted by APT groups exploiting this vulnerability include government, financial services, and critical infrastructure sectors in the United States, Europe, and Asia.

Technical Information

CVE-2022-42475 is a heap-based buffer overflow vulnerability (CWE-122) in FortiOS SSL-VPN and FortiProxy SSL-VPN software. The vulnerability exists due to improper handling of memory operations, which allows an attacker to overflow the heap buffer and execute arbitrary code. The vulnerability affects FortiOS SSL-VPN versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier, and FortiProxy SSL-VPN versions 7.2.0 through 7.2.1, 7.0.7 and earlier.

The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H).

The vulnerability is triggered by sending specifically crafted requests to the SSL-VPN component, which leads to a heap-based buffer overflow. This allows the attacker to gain control over the affected system and execute arbitrary code or commands.

Exploitation in the Wild

The vulnerability has been actively exploited in the wild. Attackers have leveraged this vulnerability to execute arbitrary code on vulnerable systems. The exploitation involves sending specifically crafted requests to the SSL-VPN component, triggering the heap-based buffer overflow and allowing the attacker to gain control over the affected system.

Indicators of Compromise (IOCs) include multiple log entries with

Logdesc=Application crashed and msg=[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]

, artifacts in the filesystem such as

/data/lib/libips.bak

/data/lib/libgif.so

/data/lib/libiptcp.so

/data/lib/libipudp.so

/data/lib/libjepg.so

/var/.sslvpnconfigbk

/data/etc/wxd.conf

, and

/flash

, and suspicious IP addresses including

188.34.130.40:444

103.131.189.143:30080,30081,30443,20443

193.36.119.61:8443,444

172.247.168.153:8033

139.180.184.197

66.42.91.32

158.247.221.101

107.148.27.117

139.180.128.142

155.138.224.122

, and

185.174.136.20

APT Groups using this vulnerability

Several Advanced Persistent Threat (APT) groups have been observed exploiting this vulnerability. These groups are known for targeting government, financial services, and critical infrastructure sectors in the United States, Europe, and Asia. The exploitation by these APT groups underscores the critical nature of this vulnerability and the need for immediate remediation.

Affected Product Versions

The affected product versions include FortiOS SSL-VPN versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier, and FortiProxy SSL-VPN versions 7.2.0 through 7.2.1, 7.0.7 and earlier.

Workaround and Mitigation

Vendor Recommendations: Fortinet has released patches to address this vulnerability. Users are strongly advised to update their FortiOS and FortiProxy installations to the latest versions as per the vendor's instructions. For FortiOS, update to versions 7.2.3, 7.0.9, 6.4.11, 6.2.12, or 6.0.16. For FortiProxy, update to versions 7.2.2, 7.0.8, or later.

Additional Mitigation: Network segmentation is recommended to isolate vulnerable systems from the rest of the network to limit potential lateral movement by attackers. Implement monitoring and detection mechanisms to identify and respond to suspicious activities related to this vulnerability.

References

Fortinet PSIRT: Heap-based buffer overflow in sslvpnd - PSIRT | FortiGuard Labs https://fortiguard.fortinet.com/psirt/FG-IR-22-398

CISA: Known Exploited Vulnerabilities Catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog

GitHub: CVE-2022-42475 Exploits https://github.com/0xhaggis/CVE-2022-42475

GitHub: CVE-2022-42475 RCE POC https://github.com/3yujw7njai/CVE-2022-42475-RCE-POC

GitHub: CVE-2022-42475 Exploit https://github.com/Amir-hy/cve-2022-42475

GitHub: CVE-2022-42475 RCE POC https://github.com/CKevens/CVE-2022-42475-RCE-POC

GitHub: CVE-2022-42475 Exploit https://github.com/scrt/cve-2022-42475

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities in real-time. We are committed to providing our customers with the tools and insights needed to protect their systems and data. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.