Updated: 18 December 2022
On 12 December 2022, we sent out a security bulletin about a Fortinet security advisory involving an actively exploited remote code execution vulnerability affecting FortiOS through the SSL VPN service.
Since the original advisory was published by Fortinet, additional versions have been added to the advisory. We are sending you today’s bulletin to ensure that your organisation is aware of the expanded scope of this vulnerability, so that appropriate remediation actions can be taken in your environment. Please review the table of impacted versions below.
Recommendation
Recommendation #1: Upgrade FortiOS
Arctic Wolf strongly recommends upgrading FortiOS to fully remediate CVE-2022-42475.
Note: See newly added versions in bold.
| Product | Impacted Versions | Fixed Versions |
| FortiOS | v7.2.0 to v7.2.2
v7.0.0 to v7.0.8 v6.4.0 to v6.4.10 v6.2.0 to v6.2.11 v6.0.0 to v6.0.15 v5.6.0 to v5.6.14 v5.4.0 to v5.4.13 v5.2.0 to v5.2.15 v5.0.0 to v5.0.14 |
v7.2.3 or above
v7.0.9 or above v6.4.11 or above v6.2.12 or above v6.0.16 or above (upcoming) |
| FortiOS-6K7K | v7.0.0 to v7.0.7
v6.4.0 to v6.4.9 v6.2.0 to v6.2.11 v6.0.0 to v6.0.14 |
v7.0.8 or above
v6.4.10 or above v6.2.12 or above v6.0.15 or above |
References
- FortiNet PSIRT Advisory: https://www.fortiguard.com/psirt/FG-IR-22-398
On 12 December 2022, Fortinet published an advisory regarding an actively exploited remote code execution vulnerability affecting FortiOS through the SSL VPN service.
Fortinet has stated that they are aware of at least one instance where this vulnerability was successfully exploited in the wild, though other undocumented cases may exist. The threat actors leveraged the vulnerability to deploy malicious files on the filesystem of affected devices.
Additionally, as seen in a recent campaign affecting Fortinet appliances (CVE-2022-40684), threat actors may make use of remote code execution in Fortinet appliances to achieve one of the following objectives:
- Accessing and downloading the appliance’s configuration file
- This includes and is not exclusive to cleartext rules, policies, filtering, usernames, routing configurations, as well as encrypted passwords (encrypted via the private-encryption-key).
- Creating privileged administrator accounts
- Uploading and running scripts
Potential for Widespread Exploitation
According to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have historically leveraged similar Fortinet vulnerabilities to obtain initial access and move laterally within a victim’s environment. We, therefore, assess with high confidence threat actors will continue to exploit this vulnerability in the near term to obtain initial access and access sensitive information, such as the appliance’s configuration file, due to the ease of exploitation, the potential for payload and execution, and the prevalence of affected Fortinet devices within enterprise environments.
Recommendation for CVE-2022-42475
Recommendation #1: Upgrade FortiOS
Arctic Wolf strongly recommends upgrading FortiOS to fully remediate CVE-2022-42475.
| Product | Impacted Versions | Fixed Versions |
| FortiOS | v7.2.0 to v7.2.2 v7.0.0 to v7.0.8 v6.4.0 to v6.4.10 v6.2.0 to v6.2.11 |
v7.2.3 or above v7.0.9 or above v6.4.11 or above v6.2.12 or above |
| FortiOS-6K7K | v7.0.0 to v7.0.7 v6.4.0 to v6.4.9 v6.2.0 to v6.2.11 v6.0.0 to v6.0.14 |
v7.0.8 or above v6.4.10 or above v6.2.12 or above v6.0.15 or above |
Note: Arctic Wolf recommends the following change management best practices for applying upgrades, including testing changes in a test environment before deploying to production to avoid any operational impact.
