A critical security vulnerability has been detected in FortiOS’s SSL-VPN (sslvpnd) that could allow threat actors to remote code execution (RCE) on affected installations.
The security vulnerability, tracked as CVE-2022-42475, is caused by a Heap-based Buffer Overflow affecting the sslvpnd daemon component. An unauthenticated, remote threat actor can manipulate the SSL-VPN component through specially crafted data, triggering a stack-based buffer overflow and executing arbitrary code on the targeted system. Fortinet states that this vulnerability is actively exploited and recommends that users check their systems for the following indicators of compromise.
If the following log string is observed more than once in user systems;
- Logdesc=”Application Crashed” And Msg=”[…] Application:sslvpnd,[…], Signal 11 Received, Backtrace: […]
If the existence of the following structures is detected in the file system;
- /Data/Lib/Libips.Bak
- /Data/Lib/Libgif.So
- /Data/Lib/Libiptcp.So
- /Data/Lib/Libipudp.So
- /Data/Lib/Libjepg.So
- /Var/.Sslvpnconfigbk
- /Data/Etc/Wxd.Conf
- /Flash
If connections are made from FortiGate to the following suspicious IP addresses:
- 34.130.40:444
- 131.189.143:30080,30081,30443,20443
- 36.119.61:8443,444
- 247.168.153:8033
Threat actors actively exploit the vulnerability. In this context, in order not to be the target of attacks that can be carried out using vulnerabilities, it is recommended to immediately implement the published updates and prevent the specified consensus indicators (IoC) from the security solutions in use.