DESCRIPTION:
A heap-based buffer overflow vulnerability (CVE-2022-42475) in Fortinet FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
AFFECTED RELEASES:
FortiOS 5.0.0 to 5.0.14, 5.2.0 to 5.2.15, 5.4.0 to 5.4.13, 5.6.0 to 5.6.14, 6.0.0 to 6.0.15, 6.2.0 to 6.2.11, 6.4.0 to 6.4.10, 7.0.0 to 7.0.8 and 7.2.0 to 7.2.2
FortiOS-6K7K 6.0.0 to 6.0.14, 6.2.0 to 6.2.11, 6.4.0 to 6.4.9 and 7.0.0 to 7.0.7
SOLUTION:
1. Users and system administrators of affected products are advised to apply the security updates:
(1) Please upgrade to FortiOS version 6.0.16, 6.2.12, 6.4.11, 7.0.9 and 7.2.3 or above
(2) Please upgrade to FortiOS-6K7K version 6.0.15, 6.2.12, 6.4.10 and 7.0.8 or above
2. If you can’t update to the latest version, please disable SSL-VPN.
REFERENCE:
1. https://www.fortiguard.com/psirt/FG-IR-22-398
2. https://www.fisac.tw/STIX_CASE/QueryStixCase/Detail?Uno=4KbRA2xNjogYexczfZB__s_D35r5e60Yc2iijyDPD2yrDo__e_
3. https://www.ithome.com.tw/news/154774