FortiOS Vulnerability CVE-2022-42475

[Grubbslinger]

Another FortiOS Vulnerability in the wild. Definitely needs to be patched or mitigated if you are using this service.

 

https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/

[MalwareTech]

Deja vu (for the 15th time)

[xorroprop]

This seems to happen at least 5 times a year 

[Chris]

We (Fortinet partner) got several warnings ahead from Fortinet themselves for the previous one which could be exploited if you expose the firewall's management interface into the internet. This one now can be exploited if you have SSL VPN enabled at all and we needed to gather the information from government authorities last week and no notification from the vendor yet.

I wonder what Fortinet thinks their customer use on their devices? Manage them through a public IP and not using VPN at all?

[j91321]

1 hour ago, Chris said:

We (Fortinet partner) got several warnings ahead from Fortinet themselves

If you work with Fortinet a lot I have a question you may actually be able to help with. The advisory lists filesystem artifacts that are present on exploitation, but fails to mention how do you check for these? As far as I remember (and I haven't touched a Fortinet device in a while) the CLI doesn't provide a real shell, but only the limited management shell. The only command that may be useful for checking these files is

diagnose sys last-modified-files

and I'm not sure if that is available on all versions of FortiOS mentioned in the advisory. Is there a way how can IR quickly check for these filesystem artifacts without the need to actually make a forensic image of the disc?

[Chris]

47 minutes ago, j91321 said:

Is there a way how can IR quickly check for these filesystem artifacts without the need to actually make a forensic image of the disc?

You are looking for the `fnsysctl` command, which hands over your command to the linux shell

FG-Test # fnsysctl ls /bin -la
drwxr-xr-x    2 0        0       Tue Dec  6 07:07:59 2022             3720 .
drwxr-xr-x   17 0        0       Tue Dec  6 07:09:37 2022              460 ..
lrwxrwxrwx    1 0        0       Tue Dec  6 07:07:52 2022                9 acd -> /bin/init
lrwxrwxrwx    1 0        0       Tue Dec  6 07:07:52 2022                9 acs-sdn-change -> /bin/init
lrwxrwxrwx    1 0        0       Tue Dec  6 07:07:52 2022                9 acs-sdn-status -> /bin/init
lrwxrwxrwx    1 0        0       Tue Dec  6 07:07:52 2022                9 acs-sdn-update -> /bin/init
lrwxrwxrwx    1 0        0       Tue Dec  6 07:07:52 2022                9 alarmd -> /bin/init
lrwxrwxrwx    1 0        0       Tue Dec  6 07:07:52 2022                9 alertmail -> /bin/init
lrwxrwxrwx    1 0        0       Tue Dec  6 07:07:52 2022                9 authd -> /bin/init
lrwxrwxrwx    1 0        0       Tue Dec  6 07:07:52 2022                9 autod -> /bin/init