Today Fortinet has published a new critical vulnerability in their FortiGate products. A successful attack allows arbitrary code or commands to be executed.
The problem exist in the SSLVPN module – and you might be vulnerable if you are using SSLVPN and not running the latest patch release of the major version.
Affected Versions:
– FortiOS v7.2.0 – 7.2.2
– FortiOS v7.0.0 – 7.0.8
– FortiOS v6.4.0 – 6.4.10
– FortiOS v6.2.0 – 6.2.11
– FortiOS v6.0.15 and before
This means that the latest patch releases of all supported major versions (7.2.3, 7.0.9, 6.4.11, 6.2.12, 6.0.16) are not vulnerable.
Therefor please update if your are not running the latest patch release of your major version. Or – if an update is not possible now – please disable SSLVPN until then.
Please find more information here: https://www.fortiguard.com/psirt/FG-IR-22-398
Update – 13. December: Fortinet mentions some indicators of compromise in the psirt article.
Another possibility than looking in the logs for sslvpn crashes is the crash log in the CLI:
# diag deb crashlog read | grep sslvpnd
If you have several hits here, you should pay more attention…
And if you want to check the mentioned files in the filesystem you can use this CLI command for listing the /data/lib directory e.g.
# fnsysctl ls /data/lib
or
# diagnose sys last-modified-files /data/libPlease make sure that you have super_admin priveleges for these commands.
Update II – 13. December: Fortinet has just published, that all FortiOS versions <= 6.0 are vulnerable as well. We are not sure if Fortinet will release any patches for these versions, as they are already in end-of-support (EOS) – but we will try to find out.
Update III – 16. December: Fortinet has released FortiOS v6.0.16 yesterday.
Update IV – 23. January: Fortinet has released a very interesting blog article regarding this issue.
