Overview
A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
- FortiGuard Labs PSIRT Advisories
Vulnerable systems
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS version 6.0.0 through 6.0.15
- FortiOS version 5.6.0 through 5.6.14
- FortiOS version 5.4.0 through 5.4.13
- FortiOS version 5.2.0 through 5.2.15
- FortiOS version 5.0.0 through 5.0.14
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Scope of the problem
The vulnerability is exploited for some time (the exact date of the beginning of exploitation is unknown). If you have a FortiOS device with the SSL-VPN publicly accessible, you should consider a standard incident response procedure (even if you have auto-update activated).
Fixing and mitigation
- Upgrade to FortiOS version 7.2.3 or above
- Upgrade to FortiOS version 7.0.9 or above
- Upgrade to FortiOS version 6.4.11 or above
- Upgrade to FortiOS version 6.2.12 or above
- Upgrade to FortiOS-6K7K version 7.0.8 or above
- Upgrade to FortiOS-6K7K version 6.4.10 or above
- Upgrade to FortiOS-6K7K version 6.2.12 or above
- Upgrade to FortiOS-6K7K version 6.0.15 or above
Firmware can be downloaded via Fortinet Support. The maintenance contract might be required in order to download the firmware. If you cannot update the software, disabling SSL-VPN is an option.
Detection and logs
In the report from the FortiGuard PSIRT, the following logs entries are potential artifact for detecting an exploited device:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“
Have you seen exploited server in Luxembourg?
There are a significant number of potential exploited Fortigate devices with SSL-VPN enabled in Luxembourg. We are sending notifications to the ISP abuse contact.
I applied the patch and I don’t have any resources for doing further investigation. What should I do?
In all the cases, we recommend to perform a full incident response process including the security review of the system. If you have the ability to reinstall the device from scratch, this is a safer approach.
References
- FortiOS - heap-based buffer overflow in sslvpnd
- MISP event - UUID e132e5f2-1a09-43e4-b2d6-8046c730616f
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.1 - TLP:WHITE - Older version of FortiOS are vulnerable and some updates in the MISP event (new IP addresses from the Fortinet document)
- Version 1.0 - TLP:WHITE - First version - 13th December 2022