CVE-2022-42475

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Recent assessments:

ccondon-r7 at December 13, 2022 2:02pm UTC reported:

Heap-based buffer overflow in the sslvpnd component of Fortinet SSL VPNs. Fortinet disclosed publicly on December 12 with a note that it had been exploited in the wild, evidently after putting out a private warning to customers the week prior. Since then, there’s been community discussion about whether this was exploited as 0day or not, as the vendor evidently silently patched the vuln roughly two weeks before public disclosure (giving attackers plenty of time to reverse the patch before many customers were aware there was a problem).

Heap-based BOF probably isn’t quite as easily exploitable as, say, a stack-based cousin. Even if this wasn’t true 0day, my bets are on an advanced and/or state-sponsored threat actor being the culprit for initial exploitation. Not sure we’ll see mass exploitation right away, or even at all…unless of course someone figures out where the bug lives and develops a public exploit, in which case, the exploitability rating on this will ratchet up. The attacker value of compromising a Fortinet device is high enough to motivate folks.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3