Detection rules › Sigma
Exploitation Indicator Of CVE-2022-42475
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | No specific technique |
Rule body yaml
title: Exploitation Indicator Of CVE-2022-42475
id: 293ccb8c-bed8-4868-8296-bef30e303b7e
status: test
description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
references:
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75
date: 2024-02-08
tags:
- attack.initial-access
- cve.2022-42475
- detection.emerging-threats
logsource:
product: fortios
service: sslvpnd
definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'
detection:
keywords:
- '/data/etc/wxd.conf'
- '/data/lib/libgif.so'
- '/data/lib/libips.bak'
- '/data/lib/libiptcp.so'
- '/data/lib/libipudp.so'
- '/data/lib/libjepg.so'
- '/var/.sslvpnconfigbk'
condition: keywords
falsepositives:
- Unknown
level: high
Stages and Predicates
Stage 0: condition
keywordsStage 1: keywords
keywords:
- '/data/etc/wxd.conf'
- '/data/lib/libgif.so'
- '/data/lib/libips.bak'
- '/data/lib/libiptcp.so'
- '/data/lib/libipudp.so'
- '/data/lib/libjepg.so'
- '/var/.sslvpnconfigbk'