Project Hyphae

New FortiOS SSL-VPN vulnerability

Share This Post

Fortinet released PSIRT Advisory on December 12, 2022 for its FortiOS SSL-VPN summarizing a vulnerability that could potentially allow for remote code execution and crash devices. This vulnerability has a CVSSv3 score of 9.3 and is being actively exploited. Users should update FortiOS devices to address.

Additionally, Fortinet has released IOCs seen in this attack. If you can’t update (or even if you have), be sure to threat hunt to make sure you have not been a target.

Multiple log entries with:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Connections to suspicious IP addresses from the FortiGate:
188.34.130[.]40:444
103.131.189[.]143:30080,30081,30443,20443
192.36.119[.]61:8443,444
172.247.168[.]153:8033

Additional Resources:
https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
https://www.opencve.io/cve/CVE-2022-35843

More To Explore

Information Security News 1-23-2023

MailChimp Discloses New Breach After Employees Got Hacked Article Link: https://www.bleepingcomputer.com/news/security/mailchimp-discloses-new-breach-after-employees-got-hacked/ T-Mobile Suffers 8th Data Breach in Less Than 5 Years Article Link: https://www.csoonline.com/article/3686053/t-mobile-suffers-8th-data-breach-in-less-than-5-years.html Hackers

BianLian Ransomware Decryptor Made Public

BianLian, a Windows ransomware variant written in Go, the Google-created open source programming language, has been steadily increasing in popularity among threat actors since it

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.