security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #4714 from @douglasrose75 - Add Rule Covering Exploitation Indicators For CVE 2022-42475

Browse Source 
new: Exploitation Indicator Of CVE-2022-42475

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Douglas Rose
2024-02-08 10:30:44 -05:00
committed by GitHub
parent 66f964f9c4
commit a572fc50b5
2 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml
+32
View File
@@ -0,0 +1,32 @@
title: Exploitation Indicator Of CVE-2022-42475
id: 293ccb8c-bed8-4868-8296-bef30e303b7e
status: experimental
description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
references:
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75
date: 2024/02/08
tags:
- attack.initial_access
- cve.2022.42475
- detection.emerging_threats
logsource:
product: fortios
service: sslvpnd
definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'
detection:
keywords:
- '/data/etc/wxd.conf'
- '/data/lib/libgif.so'
- '/data/lib/libips.bak'
- '/data/lib/libiptcp.so'
- '/data/lib/libipudp.so'
- '/data/lib/libjepg.so'
- '/var/.sslvpnconfigbk'
condition: keywords
falsepositives:
- Unknown
level: high
tests/logsource.json
+8
View File
@@ -177,6 +177,14 @@
"syslog":[]
}
},
"fortios":{
"commun": [],
"empty": [],
"category":{},
"service":{
"sslvpnd": []
}
},
"django":{
"commun": [],
"empty": [],