A heap-based buffer overflow [CWE-122] in the firmware signature verification function of FortiOS may allow an attacker to execute arbitrary code via specially crafted installation images.
While Fortinet has not provided any information on how the flaw is being exploited, they shared IOCs related to attacks.
As shared previously by Olympe Cyberdefense and now Fortinet, when the vulnerability is exploited, it will generate the following entries in the logs:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“
FortiGate E-series and F-series models released in 2019 and later (specifically: 40F, 60F, 200F, 400E, 600E, 1100E, 1800F, 2200E, 2600F, 3300E, 3400E, 3500F, 3600E and 7121F)
that are running the following versions of FortiOS:
FortiOS version 7.0.1 and below.
FortiOS version 6.4.6 and below.
FortiOS version 6.2.9 and below.
FortiOS version 6.0.13 and below.
FortiOS-6K7K version 6.4.2 and below.
FortiOS-6K7K version 6.2.7 and below.
FortiOS-6K7K version 6.0.10 and below.
fnsysctl ls -la /data/lib/libips.bak
fnsysctl ls -la /data/lib/libgif.so
fnsysctl ls -la /data/lib/libiptcp.so
fnsysctl ls -la /data/lib/libipudp.so
fnsysctl ls -la /data/lib/libjepg.so
fnsysctl ls -la /var/.sslvpnconfigbk
fnsysctl ls -la /data/etc/wxd.conf
fnsysctl ls -la /flash
Upgrade to FortiOS version 7.0.2 and above.
Upgrade to FortiOS version 6.4.7 and above.
Upgrade to FortiOS version 6.2.10 and above.
Upgrade to FortiOS version 6.0.14 and above.
Upgrade to FortiOS-6K7K version 6.4.3 and above.
Upgrade to FortiOS-6K7K version 6.2.8 and above.