In December of 2022, a vulnerability had been reported to the NVD regarding some security products by Fortinet. The products providing secure remote access which are affected by this issue are FortiOS VPN-SSL and FortiProxy VPN-SSL.
For those not familiar with Fortinet’s products, FortiOS is a secure operating system that powers various security appliances made by Fortinet, such as the FortiGate firewall, FortiAnalyzer, and FortiManager. It offers a comprehensive set of security features, including a firewall, VPN, intrusion prevention, application control, and web filtering, among others.
FortiProxy, on the other hand, is a secure web gateway solution that provides advanced web filtering, threat protection, and SSL inspection capabilities. It is designed to help organizations protect their users from web-based threats, such as malware, phishing, and data leakage. Overall, FortiProxy is an important tool for organizations looking to secure their web traffic and ensure compliance with regulatory requirements.
Has this vulnerability been exploited in the wild?
Not only that this vulnerability has been exploited in the wild, but in fact, that’s exactly how it got discovered. After having their system breached, victims found out that the logs indicate that sslvpnd
had crashed.
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...],
Signal 11 received, Backtrace: [...]“
This happened because of a weakness (CWE-122) in the design that made the system vulnerable to a heap-based buffer overflow, a child weakness to CWE-787 - out-of-bounds write. So, as most of you already know, this sort of memory “scrambling” often leads to applications crashing. Unfortunately, the hackers have also managed to edit out these entries and recompile the logs, as well as to completely disable the miglogd
and syslogd
Fortinet daemons, rendering it almost impossible to detect an intrusion.
According to Fortiguard, another sign of intrusion that compromised the attackers' presence was these artifacts found in the system:
- /data/lib/libips.bak
- /data/lib/libgif.so
- /data/lib/libiptcp.so
- /data/lib/libipudp.so
- /data/lib/libjepg.so
- /var/.sslvpnconfigbk
- /data/etc/wxd.conf
- /flash
The vulnerability
This zero-day vulnerability, as we already said, relied on a heap-based buffer overflow. These sorts of weaknesses often occur when trying to treat some string data. Seasoned security researchers and programmers know how notorious and tricky the C language is for handling strings. This design flaw can be exploited by attackers to execute arbitrary code or cause a denial of service (DoS) condition on the targeted system. This could further lead to a downtime of the compromised system, resulting in financial loss, data theft, data corruption, and ransomware extortion.
Here we have a simple example of a heap-based buffer overflow:
#define BUFSIZE 256
int main(int argc, char **argv) {
char *buf;
buf = (char *)malloc(sizeof(char)*BUFSIZE);
strcpy(buf, argv[1]);
}
The fixed-size heap memory has been allocated to the buffer. Having that in mind, we need to add an input validation step to make sure that the argv[1] doesn’t exceed the given size and result in an overflow.
Who’s in danger?
Having mentioned that it’s a zero-day vulnerability, we can safely assume that the list of vulnerable versions is way longer than reported by Fortinet. According to them, these versions are definitely affected:
FortiOS:
6.0.15
6.2.0 - up until 6.2.11
6.4.0 - up until 6.4.10
7.0.0 - up until 7.0.8
7.2.0 - up until 7.2.2
FortiProxy:
7.0.7
7.2.0 - up until 7.2.1
If you receive updates automatically, your systems should’ve already been patched in December, but we recommend that you check your FortiOS/FortiProxy version manually anyways. If for whatever reason you cannot update and have a vulnerable version of Fortinet’s SSL-VPN using the product, we highly recommend you disable it.
Conclusion
As we often rely on these security-providing products, we are keen to ignore the fact that they are designed and engineered by humans, and humans do make mistakes. It’s hard to say what is the perfect balance between putting trust in someone else’s hands and reinventing the wheel by ourselves.
It is the least to say that this will affect Fortinet’s reputation, because, at the end of the day, it is their job to take care of your security concerns, instead of creating them.
Subscribe to be updated on the new content!