A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise:
Multiple log entries with:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“
Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
Connections to suspicious IP addresses from the FortiGate:
188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033
Workaround :
Disable SSL-VPN.
| Affected Products | Solutions |
|---|---|
| FortiOS version 7.2.0 through 7.2.2 | Please upgrade to FortiOS version 7.2.3 or above |
| FortiOS version 7.0.0 through 7.0.8 | Please upgrade to FortiOS version 7.0.9 or above |
| FortiOS version 6.4.0 through 6.4.10 | Please upgrade to FortiOS version 6.4.11 or above |
| FortiOS version 6.2.0 through 6.2.11 | Please upgrade to FortiOS version 6.2.12 or above |
| FortiOS version 6.0.0 through 6.0.15 | End of Support |
| FortiOS version 5.6.0 through 5.6.14 | End of Support |
| FortiOS version 5.4.0 through 5.4.13 | End of Support |
| FortiOS version 5.2.0 through 5.2.15 | End of Support |
| FortiOS version 5.0.0 through 5.0.14 | End of Support |
| FortiOS-6K7K version 7.0.0 through 7.0.7 | Please upgrade to upcoming FortiOS-6K7K version 7.0.8 or above |
| FortiOS-6K7K version 6.4.0 through 6.4.9 | Please upgrade to FortiOS-6K7K version 6.4.10 or above |
| FortiOS-6K7K version 6.2.0 through 6.2.11 | Please upgrade to upcoming FortiOS-6K7K version 6.2.12 or above |
| FortiOS-6K7K version 6.0.0 through 6.0.14 | Please upgrade to FortiOS-6K7K version 6.0.15 or above |