Fortinet’s security products are widely used in enterprises around the globe. But what happens when the security gatekeeper itself has a vulnerability? That’s the case with CVE-2022-42475, a critical heap-based buffer overflow flaw discovered in FortiOS and FortiProxy SSL-VPN, giving remote attackers a dangerous way in. If your environment uses these products, it's crucial to understand this issue—and patch it fast.

What is CVE-2022-42475?

CVE-2022-42475 is a vulnerability categorized as CWE-122: Heap-based Buffer Overflow. It affects certain versions of FortiOS SSL-VPN and FortiProxy SSL-VPN.

Here’s the official description

> A heap-based buffer overflow vulnerability in FortiOS SSL-VPN 7.2. through 7.2.2, 7.. through 7..8, 6.4. through 6.4.10, 6.2. through 6.2.11, 6..15 and earlier and FortiProxy SSL-VPN 7.2. through 7.2.1, 7..7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Translated: A hacker can send special packets to a vulnerable device and make it run any code they want.

Remote Exploit: No password or authentication needed.

- Potential for Full Compromise: Attackers could install malware, steal information, or use your Fortinet device to access internal resources.
- Actively Exploited: Fortinet has confirmed real-world attacks.

How the Exploit Works

Although Fortinet has not released the exact source code, several researchers have reverse-engineered the patch and analyzed attack samples.

The root cause is improper handling of a buffer when parsing incoming SSL-VPN requests. By sending a specially crafted packet, attackers can overwrite certain parts of memory (heap buffer), letting them control the system's execution flow.

Let’s see a simple (oversimplified) code example to explain such vulnerabilities

// Imaginary vulnerable code snippet
void handle_request(char *input) {
    char buffer[128];
    strcpy(buffer, input); // No boundary check!
    // ... process request
}

If input is longer than 128 characters, strcpy keeps copying, overwriting memory areas it shouldn't. An attacker crafts a payload to take advantage.

In the real Fortinet exploit, the overflow happens with much more complex and structured VPN protocol data, but the idea is this: the attacker sends data that is too long (or specially crafted), corrupting memory and hijacking program control.

Public Exploitation

Researchers at Lexfo and Horizon3.ai have analyzed the patch and talked about exploitation.

Attackers use a modified SSL-VPN handshake or crafted HTTP requests to exploit the overflow, eventually running a shell or dropping a backdoor on the firewall.

Example of Network Attack Flow

1. Connect to the device’s SSL-VPN service (usually over port 443/tcp).

Indicators of Compromise (IoCs)

Fortinet publishes IoCs for this bug, including file paths and suspicious binaries.

File paths to check

- /data/lib/libips.so
- /data/lib/libiptcp.so
- /data/lib/libgif.so
- /var/.sslvpnconfigbk

Any unknown or unexpected files, especially in /data/lib, could be a sign of compromise.

How to Fix

- Patch Immediately: Upgrade to the latest version not affected by the bug:

FortiProxy 7.2.2 or later

- Restrict Access: Temporarily block SSL-VPN access from the internet if you can until you’ve patched everywhere.

There is no official “full” public exploit, but security researchers show PoCs similar to

import socket
import ssl

host = "victim.vpn.server"
port = 443

payload = b"A" * 100 # Oversized payload for triggering overflow

context = ssl.create_default_context()

with socket.create_connection((host, port)) as sock:
    with context.wrap_socket(sock, server_hostname=host) as ssock:
        ssock.send(payload)
        print(ssock.recv(1024))


Note: This is a simplified PoC and won’t work against live systems. Real attacks use precise protocol messages.

References & Further Reading

- FortiGuard PSIRT Advisory
- NVD Summary
- Lexfo FortiOS Analysis
- Horizon3.ai Deep Dive
- CISA Alert AA23-025A

Summary

CVE-2022-42475 is a critical vulnerability in FortiOS and FortiProxy SSL-VPN products that allows attackers to run any code they want by exploiting a buffer overflow—remotely, no username or password needed. If your device is affected, patch it now and check for signs of past compromise.

Timeline

Published on: 01/02/2023 09:15:00 UTC
Last modified on: 01/09/2023 17:30:00 UTC