Fortinet has released security advisory FG-IR-22-398, warning that the heap-based buffer overflow vulnerability in its FortiOS SSL-VPN has been actively exploited in attacks. The company recommends that all users update to the following versions to fix the bug: FortiOS 6.4.3 to 6.4.3.14, 6.2.6 to 6.2.6.6, and 5.6.12 to 5.6.12.5.
Additionally, Fortinet has provided indicators of compromise (IOCs) for this vulnerability. If your firewall has been exploited, you may see the following entries in the logs:
Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]”
On the file system of exploited devices, you may also see the following artifacts:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Fortinet has also shared a list of IP addresses that have been seen exploiting this vulnerability, including:
188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033
If you have any of these IP addresses in your logs or see any of the listed file system artifacts on your devices, it is important to update your firewall and take other necessary steps to secure your network. ThreatHunter.AI is here to help if you need assistance. Our team of security experts can assist you with updating your firewall and help you identify and mitigate any potential breaches.
