This article describes how to use a custom event handler in FortiAnalyzer to raise alerts for incident response related to attacks which attempt to exploit a remote code execution vulnerability in Microsoft HTTP protocol stack.
The vulnerability is due to an improper boundary check condition in the protocol when handling a crafted HTTP request.
A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted HTTP request.
This vulnerability is assigned CVE-2022-21907.
For more information about this attack, see the following FortiGuard Outbreak Alert.
What is included in Fortinet_Windows_HTTP_Protocol_stack_RCE.zip?
1) Windows HTTP Protocol Stack RCE_event-handler.json
This event handler helps identify attacks which attempt to exploit a remote code execution vulnerability in Microsoft HTTP protocol stack detected by FortiGate, FortiClient and FortiSandbox logs.
2) Windows HTTP Protocol Stack RCE_report.dat
This report displays the findings on the HTTP protocol stack RCE outbreak from FortiGate, FortiClient and FortiSandbox logs.
3) fgt_Windows HTTP Protocol Stack RCE_event-handler
The event handler for FortiGate ADOMs which is configured for FortiGate logs only.
4) fgt_Windows HTTP Protocol Stack RCE_report.dat
The report for FortiGate ADOMs which includes FortiGate charts only.
This event handler and report helps to detect outbreak based on the FortiGate AV, IPS and App Control detections, FortiClient AV, Vulnerability and Web Filter detections, as well as FortiSandbox detections.
All screenshots provided below for illustration purposes are taken from FortiAnalyzer 7.0.3.
1) Download the Fortinet_Windows_HTTP_Protocol_stack_RCE.zip file (contains 4 files).
2) Unzip Fortinet_Windows_HTTP_Protocol_stack_RCE.zip.
3) Use Windows HTTP Protocol Stack RCE_event-handler.json or fgt_Windows HTTP Protocol Stack RCE_event-handler.json to import into Event Handlers:
- Choose an ADOM (if ADOMs are enabled). ADOM may be of type Fabric or FortiGate:
- Choose the FortiSOC module.
- Select Event Handler List.
- Select the Import option under More.
- Select the appropriate event handler depending on your ADOM type.
The event handler is enabled and will be triggered if the appropriate logs are received following the import of the event handler. You may wish to edit the event handler to customize the notification section.
4) Use Windows HTTP Protocol Stack RCE_report.dat or fgt_Windows HTTP Protocol Stack RCE_report.dat to import into Reports:
- Choose an ADOM (if ADOMs are enabled). ADOM may be of type Fabric or FortiGate.
- Select the appropriate file for the ADOM type to add the report to the ADOM.
The (fgt_)Windows HTTP Protocol Stack RCE_report can be run anytime as determined by an admin user.