Exploitation Indicator Of CVE-2022-42475
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
Sigma rule (View on GitHub)
1title: Exploitation Indicator Of CVE-2022-42475
2id: 293ccb8c-bed8-4868-8296-bef30e303b7e
3status: experimental
4description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
5references:
6 - https://www.fortiguard.com/psirt/FG-IR-22-398
7 - https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
8 - https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
9 - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
10author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75
11date: 2024-02-08
12tags:
13 - attack.initial-access
14 - cve.2022-42475
15 - detection.emerging-threats
16logsource:
17 product: fortios
18 service: sslvpnd
19 definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'
20detection:
21 keywords:
22 - '/data/etc/wxd.conf'
23 - '/data/lib/libgif.so'
24 - '/data/lib/libips.bak'
25 - '/data/lib/libiptcp.so'
26 - '/data/lib/libipudp.so'
27 - '/data/lib/libjepg.so'
28 - '/var/.sslvpnconfigbk'
29 condition: keywords
30falsepositives:
31 - Unknown
32level: high
References
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt