On December 12th, 2022 Fortinet released a PSIRT Advisory for CVE-2022-42475 noting that it had been exploited in the wild.
CVE-2022-42475 is a heap-based buffer overflow vulnerability (CWE-122) in FortiOS SSL-VPN, which may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Since the vulnerability’s announcement, GreyNoise has actively monitored for any activity potentially related to FortiGuard products.
Beginning December 29th, 2022 GreyNoise observed a significant increase in credential brute force attempts against Fortinet SSL VPN.
GreyNoise is not aware of any publicly available Proof-of-Concept code for CVE-2022-42475 at this time. We have created a tag for tracking Fortinet SSL VPN brute force activity as its recent volume is malicious in nature is notably targeting the same product as another high-profile vulnerability.
Indicators and Detection
On December 29th, 2022 GreyNoise sensors observed a sudden high volume of HTTP traffic to the "/remote/logincheck" path containing credentials. We have correlated this as targeting Fortinet SSL VPN products using the following sources:
- Metasploit's Fortinet SSL VPN Bruteforce Login Utility
- Rapid7's module description
- https://gitlab.com/openconnect/openconnect/-/blob/master/fortinet.c#L120
Metrics
As of 2023-01-31 GreyNoise has observed 13,513,728 login attempts to the specified POST path from 263 unique source IP addresses since 2022-12-02.
Defenders can keep up to date with associated activity on the Fortinet SSL VPN Bruteforcer Trends page.
Proposed Solutions Against Brute Force Attacks from Fortinet
Use our GreyNoise tag to track and monitor this activity: GreyNoise Search, and optionally block all IPs associated with it.
Follow Fortinet's guidance on "How to secure and limiting SSL-VPN unknown user login (Bruteforce attack)" and "Restrict unauthorized access on the SSL-VPN service".
Research Logbook
GreyNoise Researchers reviewed Rapid7's Fortinet SSL VPN Bruteforce Login Utility and created a test environment consisting of attacker and target Docker images. We used this environment to verify packet similarity to ensure our sensors were seeing similar traffic.
The attack container used a Kali Linux base with Metasploit installed. The target consisted of a vanilla Ubuntu container running a netcat listener on a specific port.
The "fortinet_ssl_vpn.rb" module was slightly altered to override valid server checks to make it easier to capture packets and perform analysis over HTTP.
Once configured and run, the payload was observed on the Docker instances using Wireshark.