Threat Response: Critical vulnerability in Fortinet SSL VPN

12-12-2022

A SAFE DIGITAL JOURNEY

On the 12th of December, Fortinet resolved a vulnerability in the Fortinet SSL VPN[1]. Northwave recommends to install the update as soon as possible. The vulnerability is tracked under CVE-2022-42475 and has a CVSSv3.1 score of 9.3. The vulnerability allows unauthorized attackers to obtain remote code execution on the Fortinet SSL VPN systems via a specially crafted request due to a heap-based buffer overflow vulnerability in the FortiOS SSL VPN service.

Since these vulnerabilities could have a big impact, Northwave would like to warn you and advice you on actions to take to mitigate the risk of the vulnerability.

Description

The Fortinet SSL VPN is an on-premise solution to establish a secure, encrypted connection between the public internet and the corporate network. These systems are mostly publicly available on the internet allowing users to connect to the VPN from anywhere.

The following versions of the Fortinet FortiOS with the SSL VPN are vulnerable:

  • FortiOS version 7.2.0 trough 7.2.2
  • FortiOS version 7.0.0 trough 7.0.8
  • FortiOS version 6.4.0 trough 6.4.10
  • FortiOS version 6.2.0 trough 6.2.11
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

Impact

Since these vulnerabilities make it possible for an attacker to gain unauthorized access Fortinet SSL VPN environments and possibly the applications running in these environments. Northwave assumes that exploitation of these vulnerabilities will have a high impact. At this time there are indications that the vulnerabilities are actively exploited according to Fortinet[1]. Because the information regarding these vulnerabilities is now publicly available and active exploitation was confirmed by Fortinet, Northwave expects Proof-of-Concept exploit code for this vulnerability will be published soon.

Risk

Northwave estimates the risk of these vulnerabilities as high, because of the popularity of these Fortinet SSL VPN solutions and the widespread usage of this software. The main risk is that an attacker could gain unauthorized access to the systems and the internal network through the VPN system.

Mitigation

Fortinet has released an update for the vulnerabilities on December 12th. Northwave advises users which use the vulnerable versions of the Fortinet SSL VPN to update to the following versions as soon as possible:

  • FortiOS version 7.2.3 or higher
  • FortiOS version 7.0.9 or higher
  • FortiOS version 6.4.11 or higher
  • FortiOS version 6.2.12 or higher
  • FortiOS-6K7K version 7.0.8 or higher
  • FortiOS-6K7K version 6.4.10 or higher
  • FortiOS-6K7K version 6.2.12 or higher
  • FortiOS-6K7K version 6.0.15 or higher

What should you do?

Northwave recommends to update the Fortinet SSL VPN to one of the versions mentioned above as soon as possible if you use a vulnerable version of the software.

What will Northwave do?

For customers with IDRS Northwave included the known IOC’s provided by Fortinet into the Northwave Detection Platform (NDP).

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://www.fortiguard.com/psirt/FG-IR-22-398

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.