{ "Event": { "analysis": "1", "date": "2022-12-13", "extends_uuid": "", "info": "OSINT - Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks", "publish_timestamp": "1671440309", "published": true, "threat_level_id": "1", "timestamp": "1671440259", "uuid": "e132e5f2-1a09-43e4-b2d6-8046c730616f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"" } ], "Attribute": [ { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "67c635c3-156e-4374-8539-03dc022ead94", "value": "/data/lib/libips.bak" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "056cf46f-19ac-4d56-b479-2910c6338304", "value": "/data/lib/libgif.so" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "418c4e99-bc14-4758-acb7-79839693c7a5", "value": "/data/lib/libiptcp.so" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "d369428b-c79c-4e53-ac8b-e66b7e37bf35", "value": "/data/lib/libipudp.so" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "27d86af6-151c-4222-90f4-4e78da4ea247", "value": "/data/lib/libjepg.so" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "34941db8-634e-41c6-8547-3f21dc259b8f", "value": "/var/.sslvpnconfigbk" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "25ec1150-a6b5-4ddd-8fd4-0667afc4791a", "value": "/data/etc/wxd.conf" }, { "category": "Artifacts dropped", "comment": "IDS not flag not set (as many FPs are possible) but for forensic evaluation it could be useful (as mentioned in Fortinet report as \"Presence of the following artifacts in the filesystem:\").", "deleted": false, "disable_correlation": false, "timestamp": "1670918523", "to_ids": false, "type": "filename-pattern", "uuid": "631df53c-1aa6-49cb-8147-2938c98de666", "value": "/flash" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "c11e8f34-bd5c-455c-97c6-f8e1963cdc9f", "value": "139.180.184.197" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "75c27d03-3cda-44ac-93e3-eefa8fb17262", "value": "66.42.91.32" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "2694f1c0-6740-4581-a259-8258400713ac", "value": "158.247.221.101" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "857a5707-7a4f-4dbe-85ed-ba23bdaf5883", "value": "107.148.27.117" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "28031de1-697f-4cab-9667-a424c98a8ed0", "value": "139.180.128.142" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "01257f8a-da5d-42a1-a530-daf87ab7b111", "value": "155.138.224.122" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1671440259", "to_ids": true, "type": "ip-dst", "uuid": "e04f171a-85a5-4e27-a59a-e84fb0c74b0c", "value": "185.174.136.20" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1670917344", "uuid": "f22cb310-aa8a-420c-88ba-4cc741d0e3db", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1670917344", "to_ids": false, "type": "link", "uuid": "7ddc9a29-e3c2-4456-b9ab-0bae752dce65", "value": "https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1670917344", "to_ids": false, "type": "text", "uuid": "fc9fe6a2-b019-45db-ae35-c820003f1d8a", "value": "Fortinet urges customers to patch their appliances against an actively exploited FortiOS\u00a0SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.\r\n\r\nThe security flaw is tracked as CVE-2022-42475 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to crash devices remotely and potentially perform code execution." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1670917344", "to_ids": false, "type": "text", "uuid": "be393bf3-786c-429a-8f25-24d089647e04", "value": "Webpage" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1670917384", "uuid": "52dc5914-7a94-4833-a5e9-05a7e4164a26", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917384", "to_ids": false, "type": "port", "uuid": "ec469574-cbb9-425d-8944-805c337cec48", "value": "444" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1670917384", "to_ids": true, "type": "ip-dst", "uuid": "ec3493d3-8b02-40e1-bb0e-a307d6e56a59", "value": "188.34.130.40" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1670917433", "uuid": "53d7e397-b677-4629-8322-86bfdb015e6d", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917433", "to_ids": false, "type": "port", "uuid": "2ec70401-7dbd-4cae-bb48-39e2eeed056c", "value": "30080" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917433", "to_ids": false, "type": "port", "uuid": "3a58b2d9-4d58-49f2-96cf-b404490214a9", "value": "30081" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917433", "to_ids": false, "type": "port", "uuid": "0aa2923c-0911-4f17-a57e-4b79d89e154d", "value": "30443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917433", "to_ids": false, "type": "port", "uuid": "9c8bee3e-1005-4864-8b1e-3ddace0e3f5b", "value": "20443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1670917433", "to_ids": true, "type": "ip-dst", "uuid": "dbe9a5f2-dced-4976-bcdd-149f63249234", "value": "103.131.189.143" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1670917487", "uuid": "262ad933-c9f4-4a19-b565-7803c1d7ac23", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917487", "to_ids": false, "type": "port", "uuid": "3a5ace1e-8ef5-4f00-bd64-3dac82380da7", "value": "8443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917487", "to_ids": false, "type": "port", "uuid": "362813d7-d3bd-4b2a-9fe3-4ee7866529e5", "value": "444" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1670917487", "to_ids": true, "type": "ip-dst", "uuid": "bfbe2f5f-9874-4305-9a22-83fc99cee9d1", "value": "192.36.119.61" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1670917560", "uuid": "f67e3a0b-ac50-41b1-8c51-2c42e4b19d5f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1670917560", "to_ids": false, "type": "port", "uuid": "96e034a9-1863-4c92-899c-891a48d838d4", "value": "8033" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1670917560", "to_ids": true, "type": "ip-dst", "uuid": "211f5de2-c587-475c-bb0b-1738a748b80a", "value": "172.247.168.153" } ] }, { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1670917641", "uuid": "f67cc8e8-163a-4b1e-8423-5c05ed994701", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1670917641", "to_ids": false, "type": "link", "uuid": "82bced44-b858-4224-9526-2c58e794b1f9", "value": "https://www.fortiguard.com/psirt/FG-IR-22-398" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1670917641", "to_ids": false, "type": "text", "uuid": "2eb3baf8-5377-427d-a4de-fa1a351ecc7d", "value": "A heap-based buffer overflow vulnerability [CWE-122]\u00a0in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1670917641", "to_ids": false, "type": "text", "uuid": "1ef68fcd-2b25-447f-8e71-48a6d80acaaf", "value": "Report" } ] }, { "comment": "", "deleted": false, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "vulnerability", "name": "vulnerability", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "template_version": "8", "timestamp": "1670918093", "uuid": "0ac0e406-3025-4f3a-acee-c53a15313c97", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1670918093", "to_ids": false, "type": "text", "uuid": "588d7ee5-1465-4025-a162-ba10eb8aa1fb", "value": "FG-IR-22-398" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "id", "timestamp": "1670918093", "to_ids": false, "type": "vulnerability", "uuid": "73a05364-5477-4cc1-916e-a2dc07a6d2bd", "value": "CVE-2022-42475" }, { "category": "Internal reference", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1670918093", "to_ids": false, "type": "text", "uuid": "49395d9a-2281-4a35-8e3b-b63fbf161386", "value": "Vulnerability ID Assigned" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1670918093", "to_ids": false, "type": "text", "uuid": "abcd9064-db60-41ee-9781-bea17a5528fe", "value": "FortiOS version 7.2.0 through 7.2.2\r\nFortiOS version 7.0.0 through 7.0.8\r\nFortiOS version 6.4.0 through 6.4.10\r\nFortiOS version 6.2.0 through 6.2.11\r\nFortiOS-6K7K version 7.0.0 through 7.0.7\r\nFortiOS-6K7K version 6.4.0 through 6.4.9\r\nFortiOS-6K7K version 6.2.0 through 6.2.11\r\nFortiOS-6K7K version 6.0.0 through 6.0.14\r\nare vulnerable" } ] } ] } }