Critical FortiOS pre-auth RCE vulnerability exploited by attackers (CVE-2022-42475)

A critical RCE vulnerability (CVE-2022-42475) in Fortinet’s operating system, FortiOS, is being exploited by attackers, reportedly by a ransomware group.

“Fortinet is aware of an instance where this vulnerability was exploited in the wild,” the company said in an advisory published on Monday, but offered no specific details about the attack.

About CVE-2022-42475

CVE-2022-42475 is a heap-based buffer overflow vulnerability in FortiOS, and “may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests” and, in general, gain full control of vulnerable devices.

FortiOS is based on the Linux kernel and powers many Fortinet’s products, including its FortiGate firewalls. According to Olympe Cyberdefense, this vulnerability specifically affects the operating system’s SSL VPN functionality.

The flaw affects:

  • FortiOS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, and 6.2.0 through 6.2.11
  • FortiOS-6K7K version 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2.0 through 6.2.11, and 6.0.0 through 6.0.14

Fixes and mitigations

FortiOS vulnerabilities are often exploited by attackers.

Fortinet has fixed CVE-2022-42475 in:

  • FortiOS version 7.2.3 or above, 7.0.9 or above, 6.4.11 or above, and 6.2.12 or above
  • FortiOS-6K7K version 7.0.8 or above, 6.4.10 or above, 6.2.12 or above, and 6.0.15 or above.

As noted by security researcher Will Dormann, some of these were released last month but without any mention of them containing a fix for such a critical zero-day flaw.

Fortinet has not provided any official mitigations for the issue, while Olympe Cyberdefense researchers say disabling the VPN-SSL functionality and setting up conditional access rules can limit organizations’ risk of exploitation.

They also shared some indicators of compromise – log entries and artifacts in the filesystem – that defenders can look for to check whether their devices have been compromised. Fortinet has added to those a few suspicious IP addresses that compromise FortiGate appliances may have contacted.

Freelance IT consultant Ewen McNeill has posited that FortiOS 6.0, which is past its end-of-support date, may be vulnerable as well, and advised users to take precautions.

UPDATE (December 14, 2022, 05:20 a.m. ET):

Fortinet has updated the advisory, confirming that FortiOS 6.0.x and 5.x versions are vulnerable as well. According to McNeill, a FortiOS 6.0.x security fix for this flaw might be in the works.

Fortinet has also confirmed that disabling the SSL-VPN functionality is a possible workaround.

Don't miss