Description

This article describes how a critical heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote, unauthenticated attacker to execute arbitrary code or commands with specifically crafted requests. See the FortiGuard page on the vulnerability for more details: https://www.fortiguard.com/psirt/FG-IR-22-398

Scope

FortiGate.

Solution

Fortinet recommends taking immediate action to mitigate this vulnerability (by disabling SSL VPN) before upgrading to the latest release, as documented in the advisory.

If a FortiGate is managed by a FortiManager, ensure that the FortiManager is upgraded to a compatible version before upgrading the FortiGate. For more information, see the FortiManager Compatibility Chart.

To search for the Crash Log indicators of compromise documented in the advisory, search the Event Logs either on the FortiGate or the FortiAnalyzer for multiple System level log events containing the following information:

Logdesc="Application crashed" and msg="[...] application: sslvpnd,[...], Signal 11 received, Backtrace: [...]“

Alternatively, execute the following command on the FortiGate CLI:

diagnose debug crashlog read

Search for multiple examples of the following:

xxxx: [ Date & Time ] <.....> firmware  [ Firmware version ]
xxxx: [ Date & Time ] <.....> application sslvpnd
xxxx: [ Date & Time ] <.....> *** signal 11 (Segmentation fault) received ***

Additionally, search for the presence of the IoC artifacts in the filesystem with the fnsysctl command: 

fnsysctl ls -l /data/lib 

/data/lib/libips.bak 
/data/lib/libgif.so 
/data/lib/libiptcp.so 
/data/lib/libipudp.so 
/data/lib/libjepg.so 

fnsysctl ls -la /var 
/var/.sslvpnconfigbk 

fnsysctl ls -l /data/etc 
/data/etc/wxd.conf 

fnsysctl ls -l / 
/flash 

If these IoCs are detected, contact customer support for assistance. 

Note:

The 'fnsysctl' command will only work when logged in as a super_admin (administrator accounts with super_admin permission profile).