Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: Critical Authentication Bypass Vulnerability in Fortinet SSL VPN
Image
Published : 12/12/2022
Reference:
Advisory #2022-43
Version:
2.0
Affected software:
FortiOS version 5.0.0 through 5.0.14
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.6.0 through 5.6.14
FortiOS version 6.0.0 through 6.0.15
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.4.0 through 6.4.10
FortiOS version 7.0.0 through 7.0.8
FortiOS version 7.2.0 through 7.2.2
FortiOS-6K7K version 6.0.0 through 6.0.14
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 7.0.0 through 7.0.7
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2022-42475
CVSS score: 9.3
Sources
https://www.fortiguard.com/psirt/FG-IR-22-398
Risks
A new critical flaw affects Fortigate’s firewalls SSL VPN features.
The attack does not require any user interaction and can be executed remotely to lead to the full takeover of the vulnerable devices. The impact to confidentiality, integrity and availability is high.
This vulnerability is being actively exploited in the wild by threat actors.
In case of an intrusion, you can report the incident via: https://ccb.belgium.be/cert/report-incident
Description
This vulnerability can be easily exploited.
A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Recommended Actions
Upgrade
The CCB strongly encourages organisations to ensure they upgrade their systems to:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- upcoming FortiOS version 6.0.16 or above
- upcoming FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- upcoming FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
Mitigation/workaround
- Disable the VPN-SSL feature if it is not essential.
- Look at your logs and check that no unauthorized access has been made.
- Set up conditional access rules (like GeoIP) to limit your exposure vector.
Monitoring/Detection
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
Monitor the presence of the following logs on your firewall:
Logdesc="Application crashed" and msg="[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
References
https://olympecyberdefense.fr/vpn-ssl-fortigate/
https://www.tenable.com/blog/cve-2022-42475-fortinet-patches-zero-day-in-fortios-ssl-vpns
https://thehackernews.com/2022/12/fortinet-warns-of-active-exploitation.html
https://research.kudelskisecurity.com/2022/12/12/bulletin-critical-severity-buffer-overflow-0-day-vulnerability-in-fortinet-ssl-vpn-under-active-exploitation-cve-2022-42475/