Exploitation Indicator Of CVE-2022-42475

Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.

Sigma rule (View on GitHub)

 1title: Exploitation Indicator Of CVE-2022-42475
 2id: 293ccb8c-bed8-4868-8296-bef30e303b7e
 3status: experimental
 4description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
 5references:
 6    - https://www.fortiguard.com/psirt/FG-IR-22-398
 7    - https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
 8    - https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
 9    - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
10author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75
11date: 2024-02-08
12tags:
13    - attack.initial-access
14    - cve.2022-42475
15    - detection.emerging-threats
16logsource:
17    product: fortios
18    service: sslvpnd
19    definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'
20detection:
21    keywords:
22        - '/data/etc/wxd.conf'
23        - '/data/lib/libgif.so'
24        - '/data/lib/libips.bak'
25        - '/data/lib/libiptcp.so'
26        - '/data/lib/libipudp.so'
27        - '/data/lib/libjepg.so'
28        - '/var/.sslvpnconfigbk'
29    condition: keywords
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top