• EN

CVE-2022-42475 - FortiOS - heap-based buffer overflow in sslvpnd

  • 13 December 2022
  • 4 comments
  • 116 views
dips
Userlevel 7
Badge +7
  • dips
  • Veeam Legend
  • 711 comments

For those folks who run Fortinet Devices:

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

The vulnerability has already been exploited in the wild. 

CVSSv3 score is 9.3 with a rating of Critical so patch as soon as possible.

More info: PSIRT Advisories | FortiGuard

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk

4 comments

marcofabbri
Userlevel 7
Badge +13

This is one of a hell vuln. No good at allo.

Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
Chris.Childerhose
Userlevel 7
Badge +20

Read about this yesterday hopefully everyone gets patched.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
victorwu
Userlevel 7
Badge +7

@dips Thank you for your information.

Victor Wu
marco_s
Userlevel 7
Badge +7

This is a late post..but, if you cannot upgrade for some reason, you can disable 'ssl.< vdom >' interface on the device or you can disable ssl vpn # sh full-configuration vpn ssl settings | grep status # set status enable <--- change to disable (from Fortinet Support)

Marco Sorrentino - Italy | System Engineer | VMCE & Veeam Lover

Comment


Terms & Conditions