DIVD-2022-00063 - Memory overflow vulnerability in FortiOS SSL VPN
| Our reference | DIVD-2022-00063 |
| Case lead | Ralph Horn |
| Researcher(s) | |
| CVE(s) | |
| Product | FortiOS, FortiOS-6K7K |
| Versions |
|
| Recommendation | Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory. |
| Workaround | Disable SSL VPN |
| Status | Closed |
| Last modified | 31 May 2023 20:12 |
Summary
There is a memory overflow vulnerability in FortiOS SSL VPN which can be used to execute code on the system. There are multiple affected versions, and in Fortinet’s FG-IR-22-398 security bulletin, Fortinet recommends to upgrade to one of the patched versions.
DIVD has created a partial fingerprinting method and is warning those that are running a known vulnerable version.
Unfortunately on 16-12 notifications were sent to a too broad audience. We apologize for this mishap. In the coming days, we will rescan and sent out new notifications to the correct addresses.
On 27-03 we were notified by mulitple parties that the devices they were notified of being vulnerable were already patched. After a little bit of triaging it was found out that the script to check for the versions encountered had an error and was indeed labeling certain version numbers as being vulnerable while they weren’t. Another set of notifications was sent out to the parties involved to inform them of the mistake.
What you can do
If you are running FortiNet equipment running FortiOS, we advise you to upgrade your instance to one of the listed patched versions in Fortinet’s FG-IR-22-398 security bulletin.
Patched version are:
- FortiOS version 7.2.3 or above
- FortiOS version 7.0.9 or above
- FortiOS version 6.4.11 or above
- FortiOS version 6.2.12 or above
- upcoming FortiOS-6K7K version 7.0.8 or above
- FortiOS-6K7K version 6.4.10 or above
- upcoming FortiOS-6K7K version 6.2.12 or above
- FortiOS-6K7K version 6.0.15 or above
What we are doing
We have developed a partial fingerprinting method for FortiOS version v7.2.x. With this methode we are scanning the the internet to identify vulnerable instances. We will send notifcations to the owners of vulnerable systems we can fingerprint via the registered abuse contacts.
We will continue out investigating so see if we can remotely fingerprint other versions of these devices, or to find another safe way to determine if the device is vulnerable. When we are able to fingerprint FortiOS, we will include this in our scans so we are able to notify more owners of vulnerable systems.
Timeline
| Date | Description |
|---|---|
| 01 Nov 2022 | Fortinet releases FortiOS 6.4.11 that contains a fix for CVE-2022-42475 |
| 03 Nov 2022 | Fortinet releases FortiOS 6.2.12 that contains a fix for CVE-2022-42475 |
| 10 Nov 2022 | Fortinet releases FortiOS 7.2.3 that contains a fix for CVE-2022-42475 |
| 22 Nov 2022 | Fortinet releases FortiOS 7.0.9 that contains a fix for CVE-2022-42475 |
| 12 Dec 2022 | DIVD starts tracking this vulnerability |
| 12 Dec 2022 | Fortinet releases advisory FG-IR-22-398 |
| 14 Dec 2022 | Partial fingerprint method developed, scanning |
| 16 Dec 2022 | First batch of notifications, sent to incorrect list |
| 17 Dec 2022 | DIVD publishes rectification and sends rectification e-mails |
| 21 Mar 2023 | DIVD finds new fingerprinting method |
| 22 Mar 2023 | DIVD identifies vulnerable devices |
| 26 Mar 2023 | DIVD sends new batch of notifications |
| 27 Mar 2023 | DIVD is contacted about false positives by multiple parties |
| 27 Mar 2023 | DIVD triages the issue regarding the false positives and sends rectification e-mails |
| 21 May 2023 | Case closed. |