I started searching for information regarding the issue early January 2023 and couldn’t find much information outside of Fortinet’s own advisory and blog post explaining what threat...
Show More
I started searching for information regarding the issue early January 2023 and couldn’t find much information outside of Fortinet’s own advisory and blog post explaining what threat actors were doing with the vulnerability. I’ll show later on that other information was already out there, but at the time I couldn’t find it. I’ll blame my poor googling technique…
Fortinet explain in their advisory that the vulnerability is a heap overflow in the Fortigate’s sslvpnd daemon. They also mention that the vulnerability is actively being exploited by threat actors, which means that it must actually be exploitable and not just some denial of service issue.
A follow-up article on Fortinet’s blog provides some insight into how the threat actors were operating. However, most of the article is focused on the post-exploitation and provides a number of indicators of compromise. The details regarding how the vulnerability is actually exploited are obviously lacking. However, some interesting information is revealed, particularly in the two following images:
