Fortinet has released a patch for a critical zero-day security vulnerability affecting its FortiOS SSL-VPN product. The vulnerability could lead to remote code execution and is actively exploited. Therefore Fortinet urges customers to patch immediately.
What is CVE-2022-42475?
The critical flaw, identified as CVE-2022-42475 (CVSS score: 9.3), relates to a heap-based buffer overflow (CWE-122) vulnerability that could enable an unauthenticated attacker to execute arbitrary code remotely through specially crafted requests.
Olympe Cyberdefense published about the vulnerability on December 9 and made the initial disclosure. The firm reviewed CVE-2022-42475 as “simple to exploit” but has not provided further information about exploitation.
Impacted products by CVE-2022-42475
The flaw affects the following products:
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
All users should update to the following versions to fix the security vulnerability, according to a security advisory published today by Fortinet.
Versions for FortiOS:
- 7.2.3 or above
- 7.0.9 or above
- 6.4.11 or above
- 6.2.12 or above
Versions for FortiOS-6K7K:
- 7.0.8 or above
- 6.4.10 or above
- 6.2.12 or above
- 6.0.15 or above
Are there any exploits in the wild forCVE-2022-42475?
The company claimed that the vulnerability is being actively exploited in the wild but has not provided any proof-of-concept yet.
Are there any threat actors actively exploiting CVE-2022-42475?
Fortinet has not yet identified any specific threat actors or groups that have exploited CVE-2022-42475.
How to detect CVE-2022-42475?
Fortinet advises checking for the following indicators of compromise (IOCs) on your systems:
Multiple log entries:
- Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“
Suspicious IP connections from FortiGate:
How to mitigate CVE-2022-42475?
If you cannot apply the patches right away, users are advised to monitor logs, turn off VPN-SSL, and set up access rules to only allow connections from particular IP addresses.
You can find the original security advisory by Fortinet here.
How can SOCRadar help with CVE-2022-42475?
Security teams constantly look for undiscovered assets or vulnerabilities that adversaries could use. When a vulnerability related to a company’s assets is visible on an external network and its applications are published, SOCRadar notifies the company.
The highly accurate scanning engine recognizes and notifies you when a critical vulnerability is cross-referenced to your digital assets, such as:
- Web application firewalls
- VPN appliances
- Network services
- Web applications
- CMS applications