Critical Patch Available for FortiGate Firewalls - WST

Fortinet just published details (https://www.fortiguard.com/psirt/FG-IR-22-398) of a vulnerability that could allow remote code execution by an attacker (without any authentication) through FortiGate firewalls that have SSL-VPN functionality available on the Internet.

What makes this one a bit different from other notices of its kind is that Fortinet says that they are “aware of an instance where this vulnerability was exploited in the wild.” Attackers are actively exploiting this vulnerability, and now that the notification has gone out, they will ramp up their activity trying to get in as many places as possible before patching takes place.

To fix: Upgrade FortiOS as soon as possible.
Upgrading the firewall will require a reboot and could affect operations, so, unless you can accommodate the network outage during the day, it may be best to have this upgrade performed after-hours. If there’s a managed services provider that administers a firewall on your behalf, have them prove to you that you’re not on an affected version of FortiOS.

To investigate whether the vulnerability was exploited in your environment, Fortinet also offers some known IP addresses and ports that have been used. You’ll want to look for these in your firewall logs/SIEM or have any associated managed security services providers do this on your behalf. Look for connections to suspicious IP addresses and ports from the FortiGate:
188.34.130.40:444 103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033

Information on other IOCs (indicators of compromise) can be found in the advisory.

Authored by: Kyle Stelly, CISSP, PCIP