Fortinet plugs critical security hole in FortiNAC, with a PoC incoming (CVE-2022-39952)
Fortinet has dropped fixes for 40 vulnerabilities in a variety of its products, including two critical vulnerabilities (CVE-2022-39952, CVE-2021-42756) affecting its FortiNAC and FortiWeb solutions.
Since cyberattackers love to exploit vulnerabilities in Fortinet enterprise solutions and a PoC exploit for CVE-2022-39952 is expected to be released soon, admins are advised to get a move on patching.
About the vulnerabilities
CVE-2022-39952 is an external control of file name or path vulnerability in the webserver of FortiNAC, Fortinet’s network access control solution. It can be exploited by an unauthenticated attacker to perform arbitrary write on a vulnerable system.
It has been fixed in FortiNAC version 9.4.1 or above, 9.2.6 or above, 9.1.8 or above, and 7.2.0 or above.
Horizon3.ai’s Attack Team has already announced they will soon be releasing a PoC and a blog post detailing the exploitation:
CVE-2022-39952, announced today, allows for unauthenticated RCE against #Fortinet FortiNAC as the root user. Blog post and POC to be released soon.
See Fortinet's PSIRT: https://t.co/sBsrs8Wxqb pic.twitter.com/EqkIo3ap4s
— Horizon3 Attack Team (@Horizon3Attack) February 17, 2023
CVE-2021-42756 covers multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb, the company’s web application firewall solution. The vulnerability can be triggered via a specifically crafted HTTP request and may allow an unauthenticated remote attacker to achieve arbitrary code execution.
It has been fixed in FortiWeb version 7.0.0 or above, 6.3.17 or above, 6.2.7 or above, 6.1.3 or above, and 6.0.8 or above.
Both vulnerabilities have been unarthed by members of the Fortinet Product Security team, but the company did not mention why it took so long to push fixes for the latter (the CVE number indicates it has been discovered in 2021).
Most of the remaining fixed vulnerabilities have also been found by Fortinet employees, which points to a concerted internal push to pinpoint and fix security weaknesses in the company’s products.
Other solutions admins should update are:
- FortiADC (advanced application delivery controller)
- FortiAnalyzer (log management, analytics, and reporting platform)
- FortiExtender (WAN connections extender)
- FortiOS (operating system used in Fortinet hardware, including FortiGate firewalls)
- FortiProxy (secure web proxy/gateway)
- FortiAuthenticator (user identity management)
- The FortiSwitchManager module
- FortiPortal (portal for service providers)
- FortiSandbox (malware sandbox)
- FortiWAN (multi-WAN management)
Most recently, attackers have been spotted exploiting a FortiOS vulnerability (CVE-2022-42475).
UPDATE (February 21, 2023, 09:25 a.m. ET):
Horizon3.ai has released the PoC exploit and indicators of compromise. Greynoise has created a tag to flag exploitation attempts in the wild.