Fortinet has issued an advisory warning about a critical heap-based buffer overflow vulnerability in multiple versions of its FortiOS SSL-VPN software. The vulnerability, tracked as CVE-2022-42475, has been assigned a severity score of 9.3 on the standard vulnerability scoring system. This means that the flaw is considered highly critical and could be exploited by an unauthenticated, remote attacker to perform arbitrary code on the affected system. Fortinet recommends that all users of the affected software update to the latest version as soon as possible to protect against this vulnerability.
Fortinet has released patches to fix the vulnerability and recommends that all users upgrade to the latest software version to protect against it. The company also recommends that users update to the latest version or to an earlier unaffected version of FortiOS (Please note that downgrading might open other critical vulnerabilities). Fortinet said that it is continuing to monitor the situation.
Fortinet advises checking your systems quickly for the following signs of compromise because it is aware of a situation in which this vulnerability was used in the wild.
Fortinet
Since the COVID-19 epidemic started, there has been an increase in attacks targeting VPNs as more people began working remotely. In October of this year, Another severe flaw in FortiOS allowed attackers to bypass authentication and was actively used in the field. This latest vulnerability is another example of the ongoing threat to VPNs.
Affected Products
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.1
Impact
Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code.
Solution
- Please upgrade to FortiOS version 7.2.3 or above
- Please upgrade to FortiOS version 7.0.9 or above
- Please upgrade to FortiOS version 6.4.11 or above
- Please upgrade to FortiOS version 6.2.12 or above
- Please upgrade to FortiOS-6K7K version 7.0.8 or above
- Please upgrade to FortiOS-6K7K version 6.4.10 or above
- Please upgrade to FortiOS-6K7K version 6.2.12 or above
- Please upgrade to FortiOS-6K7K version 6.0.15 or above
SanerNow Network Scanner detects this vulnerability. Use SanerNow and keep your systems updated and secure.