CVE-2022-42475: Critical Unauthenticated Remote Code Execution Vulnerability in FortiOS; Exploitation Reported

Last updated at Thu, 22 Dec 2022 15:53:14 GMT

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On December 12, 2022, FortiGuard Labs published advisory FG-IR-22-398 regarding a critical (CVSSv3 9.3) “heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN [which] may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.”

FortiGuard Labs has confirmed at least one instance of the vulnerability being exploited in the wild and included the current indicators of compromise (IOCs) for FortiOS administrators to utilize in reviewing the integrity of current vulnerable systems in their advisory.

Vulnerabilities of this nature, and on this type of system, have proven to be of high value to attackers. We strongly advise that organizations upgrade to an unaffected version of FortiOS on an emergency basis and follow FortiGuard’s advice to review existing systems for signs of compromise.

Organizations that are unable to patch are advised to disable SSL-VPN.

Affected products

• FortiOS version 7.2.0 through 7.2.2
• FortiOS version 7.0.0 through 7.0.8
• FortiOS version 6.4.0 through 6.4.10
• FortiOS version 6.2.0 through 6.2.11
• FortiOS version 6.0.0 through 6.0.15 (added 12/13/22)
• FortiOS version 5.6.0 through 5.6.14 (added 12/13/22)
• FortiOS version 5.4.0 through 5.4.13 (added 12/13/22)
• FortiOS version 5.2.0 through 5.2.15 (added 12/13/22)
• FortiOS version 5.0.0 through 5.0.14 (added 12/13/22)
• FortiOS-6K7K version 7.0.0 through 7.0.7
• FortiOS-6K7K version 6.4.0 through 6.4.9
• FortiOS-6K7K version 6.2.0 through 6.2.11
• FortiOS-6K7K version 6.0.0 through 6.0.14
• FortiProxy version 7.2.0 through 7.2.1 (added 12/22/22)
• FortiProxy version 7.0.0 through 7.0.7 (added 12/22/22)
• FortiProxy version 2.0.0 through 2.0.11 (added 12/22/22)
• FortiProxy version 1.2.0 through 1.2.13 (added 12/22/22)
• FortiProxy version 1.1.0 through 1.1.6 (added 12/22/22)
• FortiProxy version 1.0.0 through 1.0.7 (added 12/22/22)

Solutions

• Please upgrade to FortiOS version 7.2.3 or above
• Please upgrade to FortiOS version 7.0.9 or above
• Please upgrade to FortiOS version 6.4.11 or above
• Please upgrade to FortiOS version 6.2.12 or above
• Please upgrade to FortiOS version 6.0.16 or above
• Please upgrade to upcoming FortiOS-6K7K version 7.0.8 or above
• Please upgrade to FortiOS-6K7K version 6.4.10 or above
• Please upgrade to FortiOS-6K7K version 6.2.12 or above
• Please upgrade to FortiOS-6K7K version 6.0.15 or above
• Please upgrade to FortiProxy version 7.2.2 or above
• Please upgrade to FortiProxy version 7.0.8 or above
• Please upgrade to upcoming FortiProxy version 2.0.12 or above

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-42475 on FortiOS via an authenticated scan with the December 12 content release.

Updates

December 13, 2022 9:30AM ET: Updated affected products, solutions, and workaround to match the updated vendor advisory.

December 14, 2022 10:15AM ET: Updated solutions to match updated vendor advisory.

December 16, 2022 11:15AM ET: Updated solutions to match updated vendor advisory.

December 22, 2022 10:33AM ET: Updated affected products and solutions to match the updated vendor advisory which now includes FortiProxy.