Heap-based buffer overflow vulnerability in Fortinet FortiOS SSL-VPN appliances, patches available
Fortinet announced Monday that the presence of a heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The exploitation of the vulnerability could allow a malicious hacker to gain remote code execution rights on the host running FortiOS and perform unauthorized actions. Additionally, the vulnerability can be used to crash the application (denial of service).
The Sunnyvale, California- based company said that it “is aware of an instance where this vulnerability was exploited in the wild,” Fortinet said in an alert issued Monday.
FortiOS SSL-VPN is widely used by organizations to securely grant users remote access to their network, including allowing users to work from home.
With a high CVSSv3 score of 9.3, the affected products include FortiOS version 7.2.0 through 7.2.2, FortiOS version 7.0.0 through 7.0.8, FortiOS version 6.4.0 through 6.4.10, FortiOS version 6.2.0 through 6.2.11, FortiOS-6K7K version 7.0.0 through 7.0.7, FortiOS-6K7K version 6.4.0 through 6.4.9, FortiOS-6K7K version 6.2.0 through 6.2.11, and FortiOS-6K7K version 6.0.0 through 6.0.14.
Fortinet advised users to immediately validate their systems against indicators of compromise, including multiple log entries with “Logdesc=’Application crashed’ and msg=’[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […].”
The company made available patches in its FortiOS version 7.2.3 or above, FortiOS version 7.0.9 or above, FortiOS version 6.4.11 or above, FortiOS version 6.2.12 or above, FortiOS-6K7K version 7.0.8 or above, FortiOS-6K7K version 6.4.10 or above, FortiOS-6K7K version 6.2.12 or above, and FortiOS-6K7K version 6.0.15 or above.
The U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert that “encourages users and administrators to review Fortinet security advisory FG-IR-22-398, apply the necessary updates, and validate systems against the IOCs listed in the advisory.”
The Australian Cyber Security Centre (ACSC) also issued an alert saying it is aware of a heap-based buffer overflow vulnerability in FortiOS SSL-VPN. “All Australian organisations should apply the available patch immediately. This Alert is relevant to organisations who deploy FortiOS to facilitate remote access for their users. The Alert is intended to be understood by slightly more technical users who maintain systems – there is no action for the end users to take,” it added.
The agency added that it is not aware of successful exploitation attempts against Australian organizations. However, it called upon affected Australian organizations to apply the available patch immediately, and investigate for signs of compromise.
In October, Fortinet reported an authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager. It revealed that this loophole may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Subsequently, the advisory was updated to reflect that Fortinet is “aware of instances where this vulnerability was exploited to download the config file from the targeted devices and to add a malicious super_admin account called ‘fortigate-tech-support,’” it added.
Related
