Project Hyphae
Search

New FortiOS SSL-VPN vulnerability

Share This Post

Fortinet released PSIRT Advisory on December 12, 2022 for its FortiOS SSL-VPN summarizing a vulnerability that could potentially allow for remote code execution and crash devices. This vulnerability has a CVSSv3 score of 9.3 and is being actively exploited. Users should update FortiOS devices to address.

Additionally, Fortinet has released IOCs seen in this attack. If you can’t update (or even if you have), be sure to threat hunt to make sure you have not been a target.

Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Connections to suspicious IP addresses from the FortiGate:
188.34.130[.]40:444
103.131.189[.]143:30080,30081,30443,20443
192.36.119[.]61:8443,444
172.247.168[.]153:8033

Additional Resources:
https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
https://www.opencve.io/cve/CVE-2022-35843



Reach out to our incident response team for help

More To Explore

Information Security News 4-22-2024

Cisco Duo Warns Third-Party Data Breach Exposed SMS MFA Logs Article Link: https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-data-breach-exposed-sms-mfa-logs/ Notorious Russian Hacking Unit Linked to Breach of Texas Water Facility Article

Shane Farmer April 22, 2024

Information Security News 4-15-2024

Roku Disclosed a Security Incident Impacting 576,000 Accounts Article Link: https://securityaffairs.com/161765/data-breach/roku-second-data-breach.html FBI Warns of Massive Wave of Road Toll SMS Phishing Attacks Article Link: https://www.bleepingcomputer.com/news/security/fbi-warns-of-massive-wave-of-road-toll-sms-phishing-attacks/

Shane Farmer April 15, 2024

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.