Project Hyphae
Search

New FortiOS SSL-VPN vulnerability

Share This Post

Fortinet released PSIRT Advisory on December 12, 2022 for its FortiOS SSL-VPN summarizing a vulnerability that could potentially allow for remote code execution and crash devices. This vulnerability has a CVSSv3 score of 9.3 and is being actively exploited. Users should update FortiOS devices to address.

Additionally, Fortinet has released IOCs seen in this attack. If you can’t update (or even if you have), be sure to threat hunt to make sure you have not been a target.

Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Connections to suspicious IP addresses from the FortiGate:
188.34.130[.]40:444
103.131.189[.]143:30080,30081,30443,20443
192.36.119[.]61:8443,444
172.247.168[.]153:8033

Additional Resources:
https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
https://www.opencve.io/cve/CVE-2022-35843



Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.