Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-29055

CVE-2022-29055: Fortinet Fortiproxy DOS Vulnerability

CVE-2022-29055 is a denial of service flaw in Fortinet Fortiproxy that allows attackers to crash the sslvpn daemon via HTTP requests. This post covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2022-29055 Overview

CVE-2022-29055 is an access of uninitialized pointer vulnerability [CWE-824] in the SSL VPN daemon of Fortinet FortiOS and FortiProxy. A remote attacker can send a crafted HTTP GET request to crash the sslvpnd process. The flaw is reachable without authentication, so any network-accessible SSL VPN portal is exposed. Successful exploitation produces a denial of service that disrupts remote access for legitimate users.

Critical Impact

Unauthenticated network attackers can crash the FortiOS and FortiProxy SSL VPN daemon with a single HTTP GET request, disrupting remote access services.

Affected Products

  • Fortinet FortiOS 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, and 6.0.x
  • Fortinet FortiProxy 7.0.0 through 7.0.4 and 2.0.0 through 2.0.9
  • Fortinet FortiProxy 1.2.x

Discovery Timeline

  • 2022-10-18 - CVE-2022-29055 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-29055

Vulnerability Analysis

The vulnerability resides in the SSL VPN daemon (sslvpnd) bundled with FortiOS and FortiProxy. The daemon dereferences a pointer that has not been initialized when processing certain HTTP GET requests against the SSL VPN web interface. The dereference operates on memory whose contents are indeterminate, leading to a process crash.

Because the SSL VPN portal is typically internet-facing, the attack surface extends to any reachable FortiGate or FortiProxy appliance with SSL VPN enabled. Exploitation requires no credentials, no user interaction, and only network access to the HTTPS listener. The impact is confined to availability: confidentiality and integrity are not affected, but remote workers and site-to-site VPN tunnels relying on the daemon lose connectivity until the service restarts.

Root Cause

The defect is classified under [CWE-824] (Access of Uninitialized Pointer). The sslvpnd request handler proceeds along a code path that reads from a pointer variable before it receives a valid assignment. When the attacker-controlled request triggers that path, the daemon dereferences indeterminate memory and aborts.

Attack Vector

An attacker sends a crafted HTTP GET request to the SSL VPN web portal exposed by FortiOS or FortiProxy. The request reaches the vulnerable handler before any authentication check, so unauthenticated exploitation is possible. Repeated requests can cause sustained denial of service against the SSL VPN service. Refer to the FortiGuard Security Advisory FG-IR-22-086 for vendor-confirmed technical details.

Detection Methods for CVE-2022-29055

Indicators of Compromise

  • Unexpected restarts or crash entries for the sslvpnd process in FortiOS event logs
  • SSL VPN session interruptions correlated with inbound HTTP GET requests from unauthenticated sources
  • Repeated TCP resets or TLS handshake failures on the SSL VPN listener immediately following a GET request

Detection Strategies

  • Monitor FortiOS crashlog output (diagnose debug crashlog read) for sslvpnd signal terminations
  • Forward FortiGate event and traffic logs to a centralized analytics platform and alert on bursts of HTTP 4xx/5xx responses from the SSL VPN portal
  • Inspect web application firewall or upstream IPS telemetry for malformed HTTP GET patterns targeting /remote/ SSL VPN endpoints

Monitoring Recommendations

  • Baseline normal SSL VPN session counts and alert on sudden drops indicative of daemon crashes
  • Enable FortiGate SNMP traps for process restart events and forward them to SIEM
  • Correlate appliance availability metrics with source IP reputation feeds to identify scanning activity

How to Mitigate CVE-2022-29055

Immediate Actions Required

  • Upgrade FortiOS and FortiProxy to fixed releases identified in FortiGuard advisory FG-IR-22-086
  • Restrict SSL VPN portal exposure to known source ranges using local-in policies where business requirements allow
  • Enable multi-factor authentication on SSL VPN user accounts to limit follow-on access if attackers pivot from availability impact

Patch Information

Fortinet addressed CVE-2022-29055 in updated FortiOS and FortiProxy builds. Administrators should upgrade FortiOS 7.0.x to 7.0.6 or later, FortiOS 6.4.x to 6.4.9 or later, FortiOS 6.2.x to 6.2.11 or later, and FortiProxy 7.0.x to 7.0.5 or later, and FortiProxy 2.0.x to 2.0.10 or later. Consult the FortiGuard Security Advisory for the authoritative fix matrix.

Workarounds

  • Disable the SSL VPN service on affected appliances until patches are applied if remote access is not business-critical
  • Apply firewall local-in policies that limit access to the SSL VPN portal to trusted IP ranges
  • Front the SSL VPN portal with a reverse proxy or WAF capable of dropping malformed HTTP GET requests targeting /remote/ URIs
bash
# Configuration example: restrict SSL VPN access with a local-in policy
config firewall address
    edit "trusted-vpn-clients"
        set subnet 203.0.113.0 255.255.255.0
    next
end

config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "trusted-vpn-clients"
        set dstaddr "all"
        set action accept
        set service "HTTPS"
        set schedule "always"
    next
    edit 2
        set intf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "HTTPS"
        set schedule "always"
    next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.