Merry Christmas everyone. It’s the time of year where we seem to see a few major notifications and exploits hit the streets. There seems to be a “if we wait till close to the holidays, then everyone’s guard will be down”. But we don’t do that. Unfortunately Cyber Security is a 24x7x365 gig.

Fortigate have just released the following PSIRT: FortiOS – heap-based buffer overflow in sslvpnd PSIRT Advisories | FortiGuard

It has a CVSSv3 of 9.3, so it’s a doozy.

How to check the Indicators of compromise?

  1. Are you running an impacted version of FortiOS. Unless you are on the latest release, then it’s likely you are.
  2. Look for the log messages. We use Fortianalyzer and VMware VRLI for log collection. Adding in an alert matching rule allows us so look for sslvpnd crashes. No log lines should be visible. There are other reasons that the daemon may crash and restart, so this in itself is not a sole indicator.
  3. Look for the artifacts. We use the fnsysctl command for that
FW (global) # fnsysctl ls /flash
ls: /flash: No such file or directory

FW (global) # fnsysctl ls /data/etc/wxd.conf
ls: /data/etc/wxd.conf: No such file or directory

FW (global) # fnsysctl ls /var/.sslvpnconfigbk
ls: /var/.sslvpnconfigbk: No such file or directory

FW (global) # fnsysctl ls /data/lib
libav.so   libips.so

FW (global) #

None of the indicated files are visible. That’s good.

To check the suspect IPs, you can either look in the session table, or you will need to check logging and Fortianalyzer if you have that data

FW (global) # diagnose sys session filter dst 188.34.130.40

FW (global) #  diagnose sys session list
total session 0

FW (global) # diagnose sys session filter dst 103.131.189.143

FW (global) #  diagnose sys session list
total session 0

FW (global) # diagnose sys session filter dst 192.36.119.61

FW (global) #  diagnose sys session list
total session 0

FW (global) # diagnose sys session filter dst 172.247.168.153

FW (global) #  diagnose sys session list
total session 0

What to do about it?

Basically the recommended path is to upgrade to the latest branch on each supported version of code.

FortiOS version 7.2.3 or above
FortiOS version 7.0.9 or above
FortiOS version 6.4.11 or above
FortiOS version 6.2.12 or above

Follow the normal upgrade process, and the appropriate upgrade path as per upgrade path tool.

If that is not possible then I suggest that the SSLVPN is disabled, you do this by unsetting the source-interface in the config to ensure it’s not listening:

# config vpn ssl setting
unset source-interface
end

Source: https://community.fortinet.com/t5/FortiGate/Technical-Tip-nbsp-How-to-disable-SSL-VPN/ta-p/230801

If you cannot do either, then I still recommend that you have source address filters to protect the VPN endpoint to known endpoints or geographic regions to limit exposure.

# config vpn ssl setting
set source-address "NZ" "AUS"
end

NOTE: Its has not been confirmed whether the above will actually provide any protection as we don’t know where the heap overflow exploit is yet, and it’s possible it may be before address checking. Further details and mitigations will be updated as they become available.

Fortigate Critical Vulnerability Disclosure – Dec 2022 – How to check and what to do.
Tagged on:             

Leave a Reply

Your email address will not be published. Required fields are marked *