{ "Event": { "analysis": "1", "date": "2022-12-13", "extends_uuid": "", "info": "OSINT - Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks", "publish_timestamp": "1671440309", "published": true, "threat_level_id": "1", "timestamp": "1671440259", "uuid": "e132e5f2-1a09-43e4-b2d6-8046c730616f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" } ], "Attribute": [ { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "67c635c3-156e-4374-8539-03dc022ead94", "value": "/data/lib/libips.bak" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "056cf46f-19ac-4d56-b479-2910c6338304", "value": "/data/lib/libgif.so" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "418c4e99-bc14-4758-acb7-79839693c7a5", "value": "/data/lib/libiptcp.so" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "d369428b-c79c-4e53-ac8b-e66b7e37bf35", "value": "/data/lib/libipudp.so" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "27d86af6-151c-4222-90f4-4e78da4ea247", "value": "/data/lib/libjepg.so" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "34941db8-634e-41c6-8547-3f21dc259b8f", "value": "/var/.sslvpnconfigbk" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "25ec1150-a6b5-4ddd-8fd4-0667afc4791a", "value": "/data/etc/wxd.conf" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "631df53c-1aa6-49cb-8147-2938c98de666", "value": "/flash" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "c11e8f34-bd5c-455c-97c6-f8e1963cdc9f", "value": "139.180.184.197" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "75c27d03-3cda-44ac-93e3-eefa8fb17262", "value": "66.42.91.32" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "2694f1c0-6740-4581-a259-8258400713ac", "value": "158.247.221.101" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "857a5707-7a4f-4dbe-85ed-ba23bdaf5883", "value": "107.148.27.117" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "28031de1-697f-4cab-9667-a424c98a8ed0", "value": "139.180.128.142" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "01257f8a-da5d-42a1-a530-daf87ab7b111", "value": "155.138.224.122" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "e04f171a-85a5-4e27-a59a-e84fb0c74b0c", "value": "185.174.136.20" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1670917344", "uuid": "f22cb310-aa8a-420c-88ba-4cc741d0e3db", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1670917344", "to_ids": false, "type": "link", "uuid": "7ddc9a29-e3c2-4456-b9ab-0bae752dce65", "value": "https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1670917344", "to_ids": false, "type": "text", "uuid": "fc9fe6a2-b019-45db-ae35-c820003f1d8a", "value": "Fortinet urges customers to patch their appliances against an actively exploited FortiOS\u00a0SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.\r\n\r\nThe security flaw is tracked as CVE-2022-42475 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to crash devices remotely and potentially perform code execution." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1670917344", "to_ids": false, "type": "text", "uuid": "be393bf3-786c-429a-8f25-24d089647e04", "value": "Webpage" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1670917384", "uuid": "52dc5914-7a94-4833-a5e9-05a7e4164a26", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917384", "to_ids": false, "type": "port", "uuid": "ec469574-cbb9-425d-8944-805c337cec48", "value": "444" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1670917384", "to_ids": true, "type": "ip-dst", "uuid": "ec3493d3-8b02-40e1-bb0e-a307d6e56a59", "value": "188.34.130.40" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1670917433", "uuid": "53d7e397-b677-4629-8322-86bfdb015e6d", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917433", "to_ids": false, "type": "port", "uuid": "2ec70401-7dbd-4cae-bb48-39e2eeed056c", "value": "30080" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917433", "to_ids": false, "type": "port", "uuid": "3a58b2d9-4d58-49f2-96cf-b404490214a9", "value": "30081" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917433", "to_ids": false, "type": "port", "uuid": "0aa2923c-0911-4f17-a57e-4b79d89e154d", "value": "30443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917433", "to_ids": false, "type": "port", "uuid": "9c8bee3e-1005-4864-8b1e-3ddace0e3f5b", "value": "20443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1670917433", "to_ids": true, "type": "ip-dst", "uuid": "dbe9a5f2-dced-4976-bcdd-149f63249234", "value": "103.131.189.143" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1670917487", "uuid": "262ad933-c9f4-4a19-b565-7803c1d7ac23", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917487", "to_ids": false, "type": "port", "uuid": "3a5ace1e-8ef5-4f00-bd64-3dac82380da7", "value": "8443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917487", "to_ids": false, "type": "port", "uuid": "362813d7-d3bd-4b2a-9fe3-4ee7866529e5", "value": "444" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1670917487", "to_ids": true, "type": "ip-dst", "uuid": "bfbe2f5f-9874-4305-9a22-83fc99cee9d1", "value": "192.36.119.61" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1670917560", "uuid": "f67e3a0b-ac50-41b1-8c51-2c42e4b19d5f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917560", "to_ids": false, "type": "port", "uuid": "96e034a9-1863-4c92-899c-891a48d838d4", "value": "8033" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1670917560", "to_ids": true, "type": "ip-dst", "uuid": "211f5de2-c587-475c-bb0b-1738a748b80a", "value": "172.247.168.153" } ] }, { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1670917641", "uuid": "f67cc8e8-163a-4b1e-8423-5c05ed994701", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1670917641", "to_ids": false, "type": "link", "uuid": "82bced44-b858-4224-9526-2c58e794b1f9", "value": "https://www.fortiguard.com/psirt/FG-IR-22-398" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1670917641", "to_ids": false, "type": "text", "uuid": "2eb3baf8-5377-427d-a4de-fa1a351ecc7d", "value": "A heap-based buffer overflow vulnerability [CWE-122]\u00a0in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1670917641", "to_ids": false, "type": "text", "uuid": "1ef68fcd-2b25-447f-8e71-48a6d80acaaf", "value": "Report" } ] }, { "comment": "", "deleted": false, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "vulnerability", "name": "vulnerability", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "template_version": "8", "timestamp": "1670918093", "uuid": "0ac0e406-3025-4f3a-acee-c53a15313c97", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1670918093", "to_ids": false, "type": "text", "uuid": "588d7ee5-1465-4025-a162-ba10eb8aa1fb", "value": "FG-IR-22-398" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "id", "timestamp": "1670918093", "to_ids": false, "type": "vulnerability", "uuid": "73a05364-5477-4cc1-916e-a2dc07a6d2bd", "value": "CVE-2022-42475" }, { "category": "Internal reference", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1670918093", "to_ids": false, "type": "text", "uuid": "49395d9a-2281-4a35-8e3b-b63fbf161386", "value": "Vulnerability ID Assigned" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1670918093", "to_ids": false, "type": "text", "uuid": "abcd9064-db60-41ee-9781-bea17a5528fe", "value": "FortiOS version 7.2.0 through 7.2.2\r\nFortiOS version 7.0.0 through 7.0.8\r\nFortiOS version 6.4.0 through 6.4.10\r\nFortiOS version 6.2.0 through 6.2.11\r\nFortiOS-6K7K version 7.0.0 through 7.0.7\r\nFortiOS-6K7K version 6.4.0 through 6.4.9\r\nFortiOS-6K7K version 6.2.0 through 6.2.11\r\nFortiOS-6K7K version 6.0.0 through 6.0.14\r\nare vulnerable" } ] } ], "EventReport": [ { "name": "Bleepingcomputer: Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks", "content": "# Bleepingcomputer: Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks\r\nFrom: `https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/`\r\n\r\nFortinet urges customers to patch their appliances against an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.\r\n\r\nThe security flaw is tracked as CVE-2022-42475 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to crash devices remotely and potentially perform code execution.\r\n\r\n\"A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests,\" warns Fortinet in a security advisory released today.\r\n\r\nAs reported by LeMagIT, French cybersecurity firm Olympe Cyberdefense first disclosed the Fortinet zero-day vulnerability, warning users to monitor their logs for suspicious activity until a patch was released.\r\n\r\nFortinet quietly fixed the bug on November 28th in FortiOS 7.2.3 (other versions released earlier) without releasing any information about it being exploited as a zero-day.\r\n\r\nHowever, BleepingComputer has learned that the company issued a private TLP:Amber advisory to customers on December 7th with more information about the bug.\r\n\r\nToday, Fortinet released security advisory FG-IR-22-398, publicly warning that the vulnerability has been actively exploited in attacks and that all users should update to the following versions to fix the bug.\r\n\r\n```\r\nFortiOS version 7.2.3 or above\r\nFortiOS version 7.0.9 or above\r\nFortiOS version 6.4.11 or above\r\nFortiOS version 6.2.12 or above\r\nFortiOS-6K7K version 7.0.8 or above\r\nFortiOS-6K7K version 6.4.10 or above\r\nFortiOS-6K7K version 6.2.12 or above\r\nFortiOS-6K7K version 6.0.15 or above\r\n```\r\n\r\n## Actively exploited in attacks\r\n\r\nWhile Fortinet has not provided any information on how the flaw is being exploited, they shared IOCs related to attacks.\r\n\r\nAs shared previously by Olympe Cyberdefense and now Fortinet, when the vulnerability is exploited, it will generate the following entries in the logs:\r\n```\r\nLogdesc=\"Application crashed\" and msg=\"[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]\u201c\r\n```\r\n\r\nFortinet warned that the following file system artifacts would be present on exploited devices:\r\n```\r\n/data/lib/libips.bak\r\n/data/lib/libgif.so\r\n/data/lib/libiptcp.so\r\n/data/lib/libipudp.so\r\n/data/lib/libjepg.so\r\n/var/.sslvpnconfigbk\r\n/data/etc/wxd.conf\r\n/flash\r\n```\r\n\r\nFortinet also shared a list of IP addresses seen exploiting the vulnerability, listed below.\r\n```\r\n188.34.130.40:444\r\n103.131.189.143:30080,30081,30443,20443\r\n192.36.119.61:8443,444\r\n172.247.168.153:8033\r\n```\r\nOf these IP addresses, threat intelligence company Grey Noise has detected the 103.131.189.143 address previously performing network scans in October.\r\n\r\nIf you are unable to apply the patches immediately, Olympe Cyberdefense suggests customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.\r\n\r\n*Update 12/12/22: Added information about private advisory. Fixed CVE.*", "id": "138", "event_id": "109029", "timestamp": "1670919581", "uuid": "8cdc2138-82ae-4177-bb67-7a9cd177440d", "deleted": false }, { "name": "PSIRT Advisories: FortiOS - heap-based buffer overflow in sslvpnd", "content": "# PSIRT Advisories\r\n\r\n## FortiOS - heap-based buffer overflow in sslvpnd\r\nFrom: `https://www.fortiguard.com/psirt/FG-IR-22-398`\r\n\r\n### Summary\r\n\r\nA heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.\r\n\r\n#### Exploitation status\r\nFortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise:\r\n\r\n**Multiple log entries with:**\r\n```\r\nLogdesc=\"Application crashed\" and msg=\"[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]\u201c\r\n```\r\n \r\n**Presence of the following artifacts in the filesystem:**\r\n```\r\n /data/lib/libips.bak \r\n /data/lib/libgif.so \r\n /data/lib/libiptcp.so \r\n /data/lib/libipudp.so \r\n /data/lib/libjepg.so \r\n /var/.sslvpnconfigbk \r\n /data/etc/wxd.conf \r\n /flash\r\n```\r\n \r\n**Connections to suspicious IP addresses from the FortiGate:**\r\n```\r\n 188.34.130.40:444 \r\n 103.131.189.143:30080,30081,30443,20443 \r\n 192.36.119.61:8443,444 \r\n 172.247.168.153:8033\r\n```\r\n \r\n### Affected Products\r\n\r\n- FortiOS version 7.2.0 through 7.2.2\r\n- FortiOS version 7.0.0 through 7.0.8\r\n- FortiOS version 6.4.0 through 6.4.10\r\n- FortiOS version 6.2.0 through 6.2.11\r\n- FortiOS-6K7K version 7.0.0 through 7.0.7\r\n- FortiOS-6K7K version 6.4.0 through 6.4.9\r\n- FortiOS-6K7K version 6.2.0 through 6.2.11\r\n- FortiOS-6K7K version 6.0.0 through 6.0.14\r\n\r\n### Solutions\r\n\r\n- Please upgrade to FortiOS version 7.2.3 or above\r\n- Please upgrade to FortiOS version 7.0.9 or above\r\n- Please upgrade to FortiOS version 6.4.11 or above\r\n- Please upgrade to FortiOS version 6.2.12 or above\r\n- Please upgrade to FortiOS-6K7K version 7.0.8 or above\r\n- Please upgrade to FortiOS-6K7K version 6.4.10 or above\r\n- Please upgrade to FortiOS-6K7K version 6.2.12 or above\r\n- Please upgrade to FortiOS-6K7K version 6.0.15 or above", "id": "139", "event_id": "109029", "timestamp": "1670919598", "uuid": "f0499122-2a62-4dff-bbf9-84b1cec56ef4", "deleted": false } ] } }