Sources

https://www.fortiguard.com/psirt/FG-IR-22-398

Risks

A new critical flaw affects Fortigate’s firewalls SSL VPN features.  

The attack does not require any user interaction and can be executed remotely to lead to the full takeover of the vulnerable devices. The impact to confidentiality, integrity and availability is high.
 
This vulnerability is being actively exploited in the wild by threat actors.

In case of an intrusion, you can report the incident via: https://cert.be/en/report-incident

Recommended Actions

Upgrade

The CCB strongly encourages organisations to ensure they upgrade their systems to:

• FortiOS version 7.2.3 or above
• FortiOS version 7.0.9 or above
• FortiOS version 6.4.11 or above
• FortiOS version 6.2.12 or above
• upcoming FortiOS version 6.0.16 or above
• upcoming FortiOS-6K7K version 7.0.8 or above
• FortiOS-6K7K version 6.4.10 or above
• upcoming FortiOS-6K7K version 6.2.12 or above
• FortiOS-6K7K version 6.0.15 or above

Mitigation/workaround

• Disable the VPN-SSL feature if it is not essential.
• Look at your logs and check that no unauthorized access has been made.
• Set up conditional access rules (like GeoIP) to limit your exposure vector.

Monitoring/Detection
 
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.

Monitor the presence of the following logs on your firewall:

Logdesc="Application crashed" and msg="[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

References

https://olympecyberdefense.fr/vpn-ssl-fortigate/
https://www.tenable.com/blog/cve-2022-42475-fortinet-patches-zero-day-in-fortios-ssl-vpns
https://thehackernews.com/2022/12/fortinet-warns-of-active-exploitation.html
https://research.kudelskisecurity.com/2022/12/12/bulletin-critical-severity-buffer-overflow-0-day-vulnerability-in-fortinet-ssl-vpn-under-active-exploitation-cve-2022-42475/