CVE-2022-42475: Remote Code Execution vulnerability in Fortinet SSL VPN service

Share :

Updated: Dec 18, 2022

On the 12th of December 2022, we sent out a security bulletin about a Fortinet security advisory involving an actively exploited remote code execution vulnerability affecting FortiOS through the SSL VPN service. 

Since the original advisory was published by Fortinet, additional versions have been added to the advisory. We are sending you today’s bulletin to ensure that your organization is aware of the expanded scope of this vulnerability, so that appropriate remediation actions can be taken in your environment. Please review the table of impacted versions below. 

Recommendation 

Recommendation #1: Upgrade FortiOS 

Arctic Wolf strongly recommends upgrading FortiOS to fully remediate CVE-2022-42475.  

Note: See newly added versions in bold. 

Product  Impacted Versions  Fixed Versions 
FortiOS  v7.2.0 to v7.2.2 

v7.0.0 to v7.0.8 

v6.4.0 to v6.4.10 

v6.2.0 to v6.2.11 

v6.0.0 to v6.0.15 

v5.6.0 to v5.6.14 

v5.4.0 to v5.4.13 

v5.2.0 to v5.2.15 

v5.0.0 to v5.0.14 

v7.2.3 or above 

v7.0.9 or above 

v6.4.11 or above 

v6.2.12 or above 

v6.0.16 or above (upcoming) 

FortiOS-6K7K   v7.0.0 to v7.0.7 

v6.4.0 to v6.4.9 

v6.2.0 to v6.2.11 

v6.0.0 to v6.0.14 

v7.0.8 or above 

v6.4.10 or above 

v6.2.12 or above 

v6.0.15 or above 

References 

Original Post: December 12, 2022

On the 12th of December 2022, Fortinet published an advisory regarding an actively exploited remote code execution vulnerability affecting FortiOS through the SSL VPN service. 

Fortinet has stated that they are aware of at least one instance where this vulnerability was successfully exploited in the wild, though other undocumented cases may exist. The threat actors leveraged the vulnerability to deploy malicious files on the filesystem of affected devices. 

Additionally, as seen in a recent campaign affecting Fortinet appliances (CVE-2022-40684), threat actors may make use of remote code execution in Fortinet appliances to achieve one of the following objectives: 

  • Accessing and downloading the appliance’s configuration file 
  • This includes and is not exclusive to cleartext rules, policies, filtering, usernames, routing configurations, as well as encrypted passwords (encrypted via the private-encryption-key).  
  • Creating privileged administrator accounts 
  • Uploading and running scripts 

Potential for Widespread Exploitation 

According to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have historically leveraged similar Fortinet vulnerabilities to obtain initial access and move laterally within a victim’s environment. We, therefore, assess with high confidence threat actors will continue to exploit this vulnerability in the near term to obtain initial access and access sensitive information, such as the appliance’s configuration file, due to the ease of exploitation, the potential for payload and execution, and the prevalence of affected Fortinet devices within enterprise environments. 

Recommendation for CVE-2022-42475

Recommendation #1: Upgrade FortiOS 

Arctic Wolf strongly recommends upgrading FortiOS to fully remediate CVE-2022-42475.  

Product  Impacted Versions  Fixed Versions 
FortiOS  v7.2.0 to v7.2.2
v7.0.0 to v7.0.8
v6.4.0 to v6.4.10
v6.2.0 to v6.2.11 
v7.2.3 or above
v7.0.9 or above
v6.4.11 or above
v6.2.12 or above 
FortiOS-6K7K   v7.0.0 to v7.0.7
v6.4.0 to v6.4.9
v6.2.0 to v6.2.11
v6.0.0 to v6.0.14 
v7.0.8 or above
v6.4.10 or above
v6.2.12 or above
v6.0.15 or above 

 

Note: Arctic Wolf recommends the following change management best practices for applying upgrades, including testing changes in a test environment before deploying to production to avoid any operational impact. 

References 

Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter