Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
without_prejudice
New Contributor

FortiOS 6.2.9 list files in filesystem CVE-2022-42475 FG-IR-22-398

 

Hi

 

I have a pair of FortiGate-200E Firewalls in HA mode

v6.2.9,build1234,210601 (GA)

 

The  advisory FG-IR-22-398 recommends checking for the existence of certain files in the filesystem.

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

 

The fnsysctl command doesn't appear to be available.

$ fnsysctl ls
Unknown action 0

 

How do I list files in the filesystem in v6.2.9?

 

Do I need to enter a privileged mode to use fnsysctl or should I be using another command?

 

I am new to Fortigates and this has just been dropped in my lap.

 

Thanks for any assistance.

1 Solution
Yurisk
Valued Contributor

Hi,

  • You have to be an admin user with super_admin profile
  • You have to give the command folder to list: # fnsysctl ls -l /data/lib
  • Command is 'hidden' - tab completion will not work here.
  • It has been available for many years, so 6.2 has it for sure as well.
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
13 REPLIES 13
Yurisk
Valued Contributor

Hi,

  • You have to be an admin user with super_admin profile
  • You have to give the command folder to list: # fnsysctl ls -l /data/lib
  • Command is 'hidden' - tab completion will not work here.
  • It has been available for many years, so 6.2 has it for sure as well.
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
without_prejudice

Thanks, someone downgraded the account call superadmin to the prof_admin profile:)

 

There is one account on the firewall with the super_admin profile. Hopefully I can track those account details down. A challenge for tomorrow.

Jirka1
Contributor III

Hi,

is there any workaround other than disable SSLVPN? E.g. connection restrictions only some countrie?

Thanks.

Jirka

dan

We have generally only those countries allowed for SSL VPN, that are also needed by travelling users or home users. 

Yurisk
Valued Contributor

Nope, or upgrade the firmware or disable SSL. Many restrict SSL VPN access to their country, which is good practice always, but this only reduces the exposure. This exploit is not trivial to create, so those who can develop it, I am sure, will have advance infrastructure capabilities as well. Everyone can buy 200-countries VPN, VPS server in any country with crypto coins, etc.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
dan
Contributor

I think the same PSIRT also mentiones to search for the logfiles for

 

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

 

How can this be done easily on the CLI?

 

Dan

 

eda
New Contributor II

I have the same question as Dan.

And I also wonder the path to the logfile to search and the name of the logfile.

 

\\eda

JoePasc
New Contributor

dan

Yes, @JoePasc , I have tried this path too. But I was not able to identify the right filter and the right log to search in. Would be nice to just grep for a string across all logs..

Would you mind sharing with us the exact CLI commands that would reveal the "bad" entries, if they exist?

Thanks

Dan

Labels
Top Kudoed Authors