CVE-2022-42475: Fortinet Pre-authentication Code-execution Vulnerability
Fortinet continues to garner and release information to address a recently-discovered heap-based buffer overflow vulnerability impacting several versions of FortiOS (FOS), the operating system behind an entire series of FortiGate next-generation firewalls and security appliances.
This new vulnerability comes on the heels of a very recent one whereby an alternate path or channel could allow threat actors to perform authentication bypasses and subsequent administrative operations on a handful of FOS, FortiProxy, and FortiSwitchManager endpoints.
In its latest PSIRT advisory, the company further provides a set of various indicators of compromise—these include the presence of file system artifacts and similar log entries as a sign of exploitation. Officially listed as CVE-2022-42475, this latest zero-day is classified as critical with a CVSS score of 9.3.
What’s Fortigate VPN?
Fortinet provides the foundation for enterprise-class security through a multitude of services that include an array of VPN solutions designed to deliver secure, non-uniform, and reliable information transfer across networks.
Impact and Affected Version
According to the advisory, these are the affected versions and fixes:
- FortiOS 7.2.0 to 7.2.2 - fixed in 7.2.3
- FortiOS 7.0.0 to 7.0.8 - fixed in 7.0.9
- FortiOS 6.4.0 to 6.4.10 - fixed in 6.4.11
- FortiOS 6.2.0 to 6.2.11 - fixed in 6.2.12
- FortiOS 6.0.0 to 6.0.15 - fixed in 6.0.16 (upcoming)
- FortiOS 5.x.x - upgrade to 6.0.16 and above
- FortiOS-6K7K 7.0.0 to 7.0.7 - fixed in 7.0.8 (upcoming)
- FortiOS-6K7K 6.4.0 to 6.4.9 - fixed in 6.4.10
- FortiOS-6K7K 6.2.0 to 6.2.11 - fixed in 6.2.12 (upcoming)
- FortiOS-6K7K 6.0.0 to 6.0.14 - fixed in 6.0.15
Any customers running FortiOS 6.2, or earlier, are strongly advised to upgrade to the latest version, given an “end of engineering support” policy from March 2022 and an upcoming “end of support” one due September 2023.
How to mitigate/patch this vulnerability
As of today, upgrading to a fixed version (mainly 7.2.3 or 7.0.9) is the only way to patch this vulnerability. Firmware updates, however, are only available in the customer portal with an active support contract.
Customers must also be made aware that intermediary version upgrades might be needed for larger version jumps. (Fortinet has provided an upgrade tool for this purpose.) If updates are not an option, the SSL-VPN functionality can also be disabled as a temporary workaround.
At the time of this writing, the Recorded Future Attack Surface Intelligence platform can detect the underlying Fortinet product and hostnames, but not the exact impacted FOS version, so a manual investigation will still be required to look for indicators of compromise.
As Fortinet is aware of at least one case of active exploitation, the company urges its customers to take immediate action in applying all pertinent fixes. We will release new updates as soon as they become available.