Fortinet urges customers to patch their appliances against an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.

The security flaw is identified as CVE-2022-40684 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to remotely crash devices and potentially execute code.

“A heap-based buffer overflow vulnerability [CWE-122] SSL-VPN in FortiOS may allow an unauthenticated remote attacker to execute arbitrary code or commands through specially crafted requests,” Fortinet warns in a security advisory released today.

As reported by LeMagITFrench cybersecurity company Olympe Cyberdefense first revealed the Fortinet zero-day vulnerability, warning users to monitor their logs for suspicious activity until a fix is ​​released.

Fortinet quietly fixed the bug on November 28 when FortiOS 7.2.3 was released. However, the company did not disclose information about the vulnerability in the release notes.

Today, Fortinet released a security advisory FG-IR-22-398warning that the vulnerability has been actively exploited in attacks and that all users should update to the following versions to fix the bug.

FortiOS version 7.2.3 or above
FortiOS version 7.0.9 or above
FortiOS version 6.4.11 or above
FortiOS version 6.2.12 or above
FortiOS-6K7K version 7.0.8 or above
FortiOS-6K7K version 6.4.10 or above
FortiOS-6K7K version 6.2.12 or above
FortiOS-6K7K version 6.0.15 or above

Actively exploited in attacks

Although Fortinet did not provide any information on how the flaw is being exploited, they did share the IOCs related to the attacks.

As previously shared by Olympe Cyberdefense and now Fortinet, when the vulnerability is exploited, it will generate the following log entries:

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

Fortinet warned that the following file system artifacts would be present on exploited devices:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Fortinet also shared a list of IP addresses seen exploiting the vulnerability, listed below.

188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033

Among these IP addresses, threat intelligence firm Gray Noise detected the address 103.131.189.143 previously performing network scans in October.

If unable to apply fixes immediately, Olympe Cyberdefense suggests customers monitor logs, disable VPN-SSL functionality and create access rules to limit connections from specific IP addresses.