BSI Alert: Critical vulnerability in Fortinet SSL VPN

14 December 2022
| No comments
B2B Cyber ​​Security ShortNews

Share post

The BSI warns against active exploitation of a critical vulnerability in Fortinet SSL VPN. FortiOS' service, used on FortiGate firewalls, allows attackers to execute malicious code or commands.

According to the BSI, companies that use FortiGate firewalls should patch their devices as soon as possible. The vulnerability is determined by the manufacturer Common Vulnerability Scoring System (CVSS) v3.1 rated “critical” with an overall CVSS score of 9.3 out of 10. CVE-2022-42475 was assigned for the vulnerability. According to the Fortinet PSIRT - Product Security Incident Response Team - there is a heap-based buffer overflow vulnerability in the SSL VPN service.

FortiGate Firewalls: Active use of the vulnerability

Fortinet's PSIRT indicates that the following product versions are affected by the vulnerability:

  • FortiOS-6K7K version 7.0.0 – 7.0.7
  • FortiOS-6K7K version 6.4.0 – 6.4.9
  • FortiOS-6K7K version 6.2.0 – 6.2.11
  • FortiOS-6K7K version 6.0.0 – 6.0.14
  • FortiOS version 7.2.0 – 7.2.2
  • FortiOS version 7.0.0 – 7.0.8
  • FortiOS version 6.4.0 – 6.4.10
  • FortiOS version 6.2.0 – 6.2.11

Manufacturer Fortinet also announced that one case of a successful exploitation of the vulnerability had already been observed. Therefore, the immediate implementation of the patch measures is recommended. Fortinet provides the instructions for already suitable patches on its website.

  • FortiOS version 7.2.3 or higher
  • FortiOS version 7.0.9 or higher
  • FortiOS version 6.4.11 or higher
  • FortiOS version 6.2.12 or higher
  • FortiOS-6K7K version 7.0.8 or higher
  • FortiOS-6K7K version 6.4.10 or higher
  • FortiOS-6K7K version 6.2.12 or higher
  • FortiOS-6K7K version 6.0.15 or higher
More at BSI.Bund.de

 

About the Federal Office for Information Security (BSI)

The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more

Short news