DIVD-2022-00063 - Memory overflow vulnerability in FortiOS SSL VPN

Our reference DIVD-2022-00063
Case lead Ralph Horn
Researcher(s)
CVE(s)
Product FortiOS, FortiOS-6K7K
Versions
  • FortiOS v7.2 to v7.2.2
  • FortiOS v7.0.0 to v7.0.8
  • FortiOS v6.4.0 to v6.4.10
  • FortiOS v6.2.0 to v6.2.11
  • FortiOS v5.6.0 to v5.6.14
  • FortiOS v5.4.0 to v5.4.13
  • FortiOS v5.2.0 to v5.2.15
  • FortiOS v5.0.0 to v5.0.14
  • FortiOS-6K7K v7.0.0 to v7.0.7
  • FortiOS-6K7K v6.4.0 to v6.4.9
  • FortiOS-6K7K v6.2.0 to v6.2.11
  • FortiOS-6K7K v6.0.0 to v6.0.14
Recommendation Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory.
Workaround Disable SSL VPN
Status Open
Last modified 17 Dec 2022 13:13

Summary

There is a memory overflow vulnerability in FortiOS SSL VPN which can be used to execute code on the system. There are multiple affected versions, and in Fortinet’s FG-IR-22-398 security bulletin, Fortinet recommends to upgrade to one of the patched versions.

DIVD has created a partial fingerprinting method and is warning those that are running a known vulnerable version.

Unfortunately on 16-12 notifications were sent to a too broad audience. We apologize for this mishap. In the coming days, we will rescan and sent out new notifications to the correct addresses.

What you can do

If you are running FortiNet equipment running FortiOS, we advise you to upgrade your instance to one of the listed patched versions in Fortinet’s FG-IR-22-398 security bulletin.

Patched version are:

What we are doing

We have developed a partial fingerprinting method for FortiOS version v7.2.x. With this methode we are scanning the the internet to identify vulnerable instances. We will send notifcations to the owners of vulnerable systems we can fingerprint via the registered abuse contacts.

We will continue out investigating so see if we can remotely fingerprint other versions of these devices, or to find another safe way to determine if the device is vulnerable. When we are able to fingerprint FortiOS, we will include this in our scans so we are able to notify more owners of vulnerable systems.

Timeline

Date Description
01 Nov 2022 Fortinet releases FortiOS 6.4.11 that contains a fix for CVE-2022-42475
03 Nov 2022 Fortinet releases FortiOS 6.2.12 that contains a fix for CVE-2022-42475
10 Nov 2022 Fortinet releases FortiOS 7.2.3 that contains a fix for CVE-2022-42475
22 Nov 2022 Fortinet releases FortiOS 7.0.9 that contains a fix for CVE-2022-42475
12 Dec 2022 DIVD starts tracking this vulnerability
12 Dec 2022 Fortinet releases advisory FG-IR-22-398
14 Dec 2022 Partial fingerprint method developed, scanning
16 Dec 2022 First batch of notifications, sent to incorrect list
17 Dec 2022 DIVD publishes rectification and sends rectification e-mails
gantt title DIVD-2022-00063 - Memory overflow vulnerability in FortiOS SSL VPN dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00063 - Memory overflow vulnerability in FortiOS SSL VPN (still open) :2022-12-12, 2023-02-14 section Events Fortinet releases FortiOS 6.4.11 that contains a fix for CVE-2022-42475 : milestone, 2022-11-01, 0d Fortinet releases FortiOS 6.2.12 that contains a fix for CVE-2022-42475 : milestone, 2022-11-03, 0d Fortinet releases FortiOS 7.2.3 that contains a fix for CVE-2022-42475 : milestone, 2022-11-10, 0d Fortinet releases FortiOS 7.0.9 that contains a fix for CVE-2022-42475 : milestone, 2022-11-22, 0d DIVD starts tracking this vulnerability : milestone, 2022-12-12, 0d Fortinet releases advisory FG-IR-22-398 : milestone, 2022-12-12, 0d Partial fingerprint method developed, scanning : milestone, 2022-12-14, 0d First batch of notifications, sent to incorrect list : milestone, 2022-12-16, 0d DIVD publishes rectification and sends rectification e-mails : milestone, 2022-12-17, 0d

More information