Fortinet advises its customers to update their appliances in order to protect themselves against an active FortiOS SSLVPN vulnerability, which could permit unauthenticated remote execution of code on the devices.
This security flaw can be tracked under CVE-2022-40684. It is a heap-based buffer overload bug in FortiOS SSL VPNd. The flaw can be exploited to allow remote users (unauthenticated) to cause device crashes and execute code.
Fortinet has issued a security alert stating that “a heap-based buffer overload vulnerability [CWE-122] in FortiOS SSLVPN could allow a remote attacker to execute arbitrary codes or commands via specially crafted requests.”
reported that Olympe Cyberdefense the Fortinet zero day vulnerability. They advised users to keep an eye on their logs and report any suspicious behavior until a fix was available.
FortiOS 7.2.3, which was released on November 28, saw Fortinet silently fix the bug. The release notes did not contain any information regarding the vulnerability.
Fortinet today released the security advisory warning users that this vulnerability was being actively exploited for attacks. Users should upgrade to the latest versions of the software to correct the problem.
FortiOS 7.2.3 or higher FortiOS 7.0.9 or FortiOS 6.4.12, or FortiOS-6K7K Version 7.0.8. FortiOS-6K7K Version 6.4.10 and FortiOS-6K7K Version 7.0.8. FortiOS-6K7K or FortiOS-6K7K versions 6.4.10 and 6.2.12 respectively. FortiOS 7.2.3 or FortiOS 6.0.15.
Attacks are actively exploited
Although Fortinet did not provide any details about the exploit, they provided IOCs regarding attacks.
Olympe Cyberdefense, and Fortinet shared the following information:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]"
Fortinet advised that these file system artifacts could be found on exploited devices.
/data/lib/libips.bak /data/lib/libgif.so /data/lib/libiptcp.so /data/lib/libipudp.so /data/lib/libjepg.so /var/.sslvpnconfigbk /data/etc/wxd.conf /flash
Fortinet shared below a list with IP addresses that were seen exploiting this vulnerability.
18.104.22.168:444 22.214.171.124:30080,30081,30443,20443 126.96.36.199:8443,444 188.8.131.52:8033
Grey Noise, a threat intelligence company has identified the 184.108.40.206 IP address. Grey Noise performed network scans back in October.
Olympe Cyberdefense recommends that customers keep logs and disable VPN-SSL to prevent you from applying patches right away.