Merry Christmas everyone. It’s the time of year where we seem to see a few major notifications and exploits hit the streets. There seems to be a “if we wait till close to the holidays, then everyone’s guard will be down”. But we don’t do that. Unfortunately Cyber Security is a 24x7x365 gig.
Fortigate have just released the following PSIRT: FortiOS – heap-based buffer overflow in sslvpnd PSIRT Advisories | FortiGuard
It has a CVSSv3 of 9.3, so it’s a doozy.
How to check the Indicators of compromise?
- Are you running an impacted version of FortiOS. Unless you are on the latest release, then it’s likely you are.
- Look for the log messages. We use Fortianalyzer and VMware VRLI for log collection. Adding in an alert matching rule allows us so look for sslvpnd crashes. No log lines should be visible. There are other reasons that the daemon may crash and restart, so this in itself is not a sole indicator.
- Look for the artifacts. We use the
fnsysctlcommand for that
FW (global) # fnsysctl ls /flash ls: /flash: No such file or directory FW (global) # fnsysctl ls /data/etc/wxd.conf ls: /data/etc/wxd.conf: No such file or directory FW (global) # fnsysctl ls /var/.sslvpnconfigbk ls: /var/.sslvpnconfigbk: No such file or directory FW (global) # fnsysctl ls /data/lib libav.so libips.so FW (global) #
None of the indicated files are visible. That’s good.
To check the suspect IPs, you can either look in the session table, or you will need to check logging and Fortianalyzer if you have that data
FW (global) # diagnose sys session filter dst 220.127.116.11 FW (global) # diagnose sys session list total session 0 FW (global) # diagnose sys session filter dst 18.104.22.168 FW (global) # diagnose sys session list total session 0 FW (global) # diagnose sys session filter dst 22.214.171.124 FW (global) # diagnose sys session list total session 0 FW (global) # diagnose sys session filter dst 126.96.36.199 FW (global) # diagnose sys session list total session 0
What to do about it?
Basically the recommended path is to upgrade to the latest branch on each supported version of code.
FortiOS version 7.2.3 or above
FortiOS version 7.0.9 or above
FortiOS version 6.4.11 or above
FortiOS version 6.2.12 or above
Follow the normal upgrade process, and the appropriate upgrade path as per upgrade path tool.
If that is not possible then I suggest that the SSLVPN is disabled, you do this by unsetting the source-interface in the config to ensure it’s not listening:
# config vpn ssl setting unset source-interface end
If you cannot do either, then I still recommend that you have source address filters to protect the VPN endpoint to known endpoints or geographic regions to limit exposure.
# config vpn ssl setting
set source-address "NZ" "AUS"
NOTE: Its has not been confirmed whether the above will actually provide any protection as we don’t know where the heap overflow exploit is yet, and it’s possible it may be before address checking. Further details and mitigations will be updated as they become available.