FortiOS SSL-VPN ZeroDay Details Evolves

Fortinet has disclosed a critical vulnerability during December 2022, in the FortiOS being exploited by attackers in the wild. More details about the attack evolved now.

The attack was highly targeted to government related entities. The vulnerability, tracked as CVE-2022-42475, is in the SSL-VPN functionality of FortiOS and can be exploited by remote attackers without authentication. Successful exploitation can result in the execution of arbitrary codes and commands.

Fortinet has also released an IPS signature for detecting exploit attempts, as well as detection rules for the known implant in its antivirus engine.

Customers can also search their logs for the following entries which could indicate exploitation attempts:

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]

The attackers exploited the vulnerability and copied a Trojanized version of the FortiOS IPS Engine to the filesystem. This indicates the attackers are highly skilled and capable of reverse engineering custom FortiOS components.

The rogue version exports two legitimate functions called ips_so_patch_urldb and ips_so_query_interface that are normally part of the legitimate libips.so, but hijacks them to execute code stored in other malicious components.

Once executed, the legitimate IPS functionality no longer works correctly. The hijacked functions execute malicious code, which then reads and writes to a number of files called libiptcp.so, libgif.so.sslvpnconfigbk, and libipudp.so.

Analysis of network packet captures suggested the malware connected two external attacker-controlled servers to download additional payloads and commands to execute. One of the servers was still in operation and had a folder containing binaries built specifically for different FortiGate hardware versions. This allowed the researchers to analyze additional files they believe attackers executed on the systems to manipulate the logging functionality in FortiOS.

According to the researchers:

• The malware patches the logging processes of FortiOS to manipulate logs to evade detection. – /bin/miglogd & /bin/syslogd.
• It includes offsets and opcodes for 27 FortiGate models and version pairs. The malware opens a handle to the processes and injects data into them.
• Versions range from 6.0.5 to 7.2.1.
• Models are FG100F, FG101F, FG200D, FG200E, FG201F, FG240D, FG3H0E, FG5H0E, FG6H1E, FG800D, FGT5HD, FGT60F, FGT80F.
• The malware can manipulate log files. It searches for elog files, which are logs of events in FortiOS. After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs.
• The malware can also kill the logging processes.

Upon examination, the Windows sample linked to the attacker exhibited signs of being constructed on a computer in the UTC+8 timezone. This timezone encompasses various countries such as:- 

• Australia
• China
• Russia
• Singapore
• Other Eastern Asian countries

They are suggesting that the attacker may be located in one of these regions. However, this information is not definitive proof of the attacker’s location.

The workaround for customers who can’t immediately deploy the updates is to disable SSL-VPN entirely, which might be difficult for organizations that rely on this functionality to support their remote or hybrid work environments.