CVE-2022-42475: 
FortiOS vulnerability analysis and mitigation

A critical heap-based buffer overflow vulnerability (CVE-2022-42475) was discovered in FortiOS SSL-VPN, affecting versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, and earlier versions. The vulnerability, assigned a CVSS score of 9.3, was disclosed on December 12, 2022, and allows remote unauthenticated attackers to execute arbitrary code or commands via specifically crafted requests (Fortiguard PSIRT, NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) affecting the SSL-VPN component of FortiOS. The exploit demonstrates advanced capabilities, including the ability to manipulate FortiOS logging processes to evade detection. The malware associated with the exploit can patch logging processes, manipulate log files, and includes offsets and opcodes for 27 FortiGate models and version pairs. The attack is characterized by a unique TLS traffic pattern with a specific buffer string in the Client Hello packet (Fortinet Blog).

The exploitation of this vulnerability allows attackers to execute arbitrary code or commands on affected systems. The malware associated with the exploit can manipulate system logs, compromise IPS functionality, and establish persistent access. The complexity of the exploit suggests it was used in highly targeted attacks, particularly against governmental or government-related targets (Hacker News, Fortinet Blog).

Fortinet has released patches in FortiOS versions 7.2.3, 7.0.9, 6.4.11, and 6.2.12, as well as FortiOS-6K7K versions 7.0.8, 6.4.10, 6.2.12, and 6.0.15. As an immediate workaround, organizations can disable SSL-VPN functionality. Fortinet has also released IPS signatures to protect against the exploit and C&C channel, and provided an Outbreak Alert Package for FortiAnalyzer to detect and report suspicious traffic (Fortiguard PSIRT).