[Cyber Alert] Fortigate CWE-122

Video Overview

Publications

IR Number: FG-IR-21-115
CVSSv3 Score: 7.3
CVE ID CVE-2021-36173

Summary

A heap-based buffer overflow [CWE-122] in the firmware signature verification function of FortiOS may allow an attacker to execute arbitrary code via specially crafted installation images.

Logs

While Fortinet has not provided any information on how the flaw is being exploited, they shared IOCs related to attacks.

As shared previously by Olympe Cyberdefense and now Fortinet, when the vulnerability is exploited, it will generate the following entries in the logs:

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

Affected Products

FortiGate E-series and F-series models released in 2019 and later (specifically: 40F, 60F, 200F, 400E, 600E, 1100E, 1800F, 2200E, 2600F, 3300E, 3400E, 3500F, 3600E and 7121F)

that are running the following versions of FortiOS:

FortiOS version 7.0.1 and below.
FortiOS version 6.4.6 and below.
FortiOS version 6.2.9 and below.
FortiOS version 6.0.13 and below.
FortiOS-6K7K version 6.4.2 and below.
FortiOS-6K7K version 6.2.7 and below.
FortiOS-6K7K version 6.0.10 and below.

Commands:

fnsysctl ls -la /data/lib/libips.bak

fnsysctl ls -la /data/lib/libgif.so

fnsysctl ls -la /data/lib/libiptcp.so

fnsysctl ls -la /data/lib/libipudp.so

fnsysctl ls -la /data/lib/libjepg.so

fnsysctl ls -la /var/.sslvpnconfigbk

fnsysctl ls -la /data/etc/wxd.conf

fnsysctl ls -la /flash

Solutions

Upgrade to FortiOS version 7.0.2 and above.
Upgrade to FortiOS version 6.4.7 and above.
Upgrade to FortiOS version 6.2.10 and above.
Upgrade to FortiOS version 6.0.14 and above.
Upgrade to FortiOS-6K7K version 6.4.3 and above.
Upgrade to FortiOS-6K7K version 6.2.8 and above.

2 Comments

  1. JP on December 13, 2022 at 5:06 pm

    Good stuff, Eric. Thanks

  2. TimothyWorie on September 20, 2023 at 12:18 pm

    Cool, I’ve been looking for this one for a long time

Leave a Comment