DIVD-2022-00063 - Memory overflow vulnerability in FortiOS SSL VPN
Our reference | DIVD-2022-00063 |
Case lead | Ralph Horn |
Researcher(s) | |
CVE(s) | |
Product | FortiOS, FortiOS-6K7K |
Versions |
|
Recommendation | Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory. |
Workaround | Disable SSL VPN |
Status | Open |
Last modified | 17 Dec 2022 13:13 |
Summary
There is a memory overflow vulnerability in FortiOS SSL VPN which can be used to execute code on the system. There are multiple affected versions, and in Fortinet’s FG-IR-22-398 security bulletin, Fortinet recommends to upgrade to one of the patched versions.
DIVD has created a partial fingerprinting method and is warning those that are running a known vulnerable version.
Unfortunately on 16-12 notifications were sent to a too broad audience. We apologize for this mishap. In the coming days, we will rescan and sent out new notifications to the correct addresses.
What you can do
If you are running FortiNet equipment running FortiOS, we advise you to upgrade your instance to one of the listed patched versions in Fortinet’s FG-IR-22-398 security bulletin.
Patched version are:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- upcoming FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- upcoming FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
What we are doing
We have developed a partial fingerprinting method for FortiOS version v7.2.x. With this methode we are scanning the the internet to identify vulnerable instances. We will send notifcations to the owners of vulnerable systems we can fingerprint via the registered abuse contacts.
We will continue out investigating so see if we can remotely fingerprint other versions of these devices, or to find another safe way to determine if the device is vulnerable. When we are able to fingerprint FortiOS, we will include this in our scans so we are able to notify more owners of vulnerable systems.
Timeline
Date | Description |
---|---|
01 Nov 2022 | Fortinet releases FortiOS 6.4.11 that contains a fix for CVE-2022-42475 |
03 Nov 2022 | Fortinet releases FortiOS 6.2.12 that contains a fix for CVE-2022-42475 |
10 Nov 2022 | Fortinet releases FortiOS 7.2.3 that contains a fix for CVE-2022-42475 |
22 Nov 2022 | Fortinet releases FortiOS 7.0.9 that contains a fix for CVE-2022-42475 |
12 Dec 2022 | DIVD starts tracking this vulnerability |
12 Dec 2022 | Fortinet releases advisory FG-IR-22-398 |
14 Dec 2022 | Partial fingerprint method developed, scanning |
16 Dec 2022 | First batch of notifications, sent to incorrect list |
17 Dec 2022 | DIVD publishes rectification and sends rectification e-mails |