FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how a critical heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote, unauthenticated attacker to execute arbitrary code or commands with specifically crafted requests. See the FortiGuard page on the vulnerability for more details: https://www.fortiguard.com/psirt/FG-IR-22-398
Fortinet recommends taking immediate action to mitigate this vulnerability (by disabling SSL VPN) before upgrading to the latest release, as documented in the advisory.
If a FortiGate is managed by a FortiManager, ensure that the FortiManager is upgraded to a compatible version before upgrading the FortiGate.For more information, see the FortiManager Compatibility Chart.
To search for the Crash Log indicators of compromise documented in the advisory, search the Event Logs either on the FortiGate or the FortiAnalyzer for multiple System level log events containing the following information:
Logdesc="Application crashed" and msg="[...] application: sslvpnd,[...], Signal 11 received, Backtrace: [...]“
Alternatively, execute the following command on the FortiGate CLI:
# diagnose debug crashlog read
Search for multiple examples of the following:
xxxx: [ Date & Time ] <.....> firmware [ Firmware version ] xxxx: [ Date & Time ] <.....> application sslvpnd xxxx: [ Date & Time ] <.....> *** signal 11 (Segmentation fault) received ***
Additionally, search for the presence of the IoC artifacts in the filesystem with the fnsysctl command:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.