CVE-2023-29180: 
FortiOS vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2023-29180) was discovered in Fortinet FortiOS and FortiProxy products. The vulnerability affects multiple versions of FortiOS (from 6.0.0 through 7.2.4) and FortiProxy (from 1.0.0 through 7.2.3). This security issue was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team during an internal audit of the SSL-VPN component, with initial publication on June 12, 2023 (Fortinet Advisory).

The vulnerability is classified as a NULL pointer dereference (CWE-476) that affects the SSL-VPN daemon. It can be triggered via specially crafted HTTP requests. The severity is rated as High with a CVSS v3.1 base score of 7.5, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The successful exploitation of this vulnerability can lead to a denial of service condition, potentially causing the SSL-VPN daemon to crash. This could affect the availability of the SSL-VPN service for legitimate users (Fortinet Advisory).

Fortinet has released patches for affected versions. Users are advised to upgrade to the following versions: FortiOS 7.2.5 or above (for 7.2.x), 7.0.12 or above (for 7.0.x), 6.4.13 or above (for 6.4.x), 6.2.15 or above (for 6.2.x), and 6.0.17 or above (for 6.0.x). For FortiProxy, upgrade to version 7.2.4 or above (for 7.2.x), 7.0.11 or above (for 7.0.x), and 2.0.13 or above (for 2.0.x). Users of FortiProxy versions 1.0, 1.1, and 1.2 should migrate to a fixed release (Fortinet Advisory).