Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could exploit to execute code and commands.
FortiNAC enables organizations to manage network-wide access policies, gain device and user visibility, and secure the network against unauthorized access and threats.
The security issue is tracked as CVE-2023-33299 and received a critical severity score of 9.6 out of 10. It is an untrusted data deserialization that may lead to remote code execution ( RCE) without authentication.
The products impacted by this flaw are:
- FortiNAC versions 9.4.0 to 9.4.2
- FortiNAC versions 9.2.0 to 9.2.7
- FortiNAC versions 9.1.0 to 9.1.9
- FortiNAC versions 7.2.0 to 7.2.1
- FortiNAC 8.8, all versions
- FortiNAC 8.7, all versions
- FortiNAC 8.6, all versions
- FortiNAC 8.5, all versions
- FortiNAC 8.3, all versions
The recommended versions for upgrading to address the vulnerability risk are:
- FortiNAC 9.4.3 or higher
- FortiNAC 9.2.8 or higher
- FortiNAC 9.1.10 or higher
- FortiNAC 7.2.2 or higher
The vendor has not provided any mitigation advice, so the recommended action is to apply available security updates.
CVE-2023-33299 was discovered by Florian Hauser of Code White which provides red team, penetration testing and threat intelligence services.
Along with the critical RCE, Fortinet today also announced that it has fixed a medium severity vulnerability identified as CVE-2023-33300 – an inappropriate access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1.
The lower severity is given by the fact that CVE-2023-33300 can be exploited locally by an attacker with high enough privileges to access the copied data.
Update without delay
Due to the level of access and control over the network, Fortinet products are particularly attractive to hackers. For the past few years, Fortinet devices have been a target for various threat actors, who have breached organizations with zero-day exploits and by hitting unpatched devices.
A recent example is CVE-2022-39952a critical RCE impacting FortiNAC which received a patch in mid-February but hackers started using it in attacks a few days later, after the proof-of-concept code was released.
In January, Fortinet warned that hackers had exploited a vulnerability in FortiOS SSL-VPN (CVE-2022-42475) in attacks against government organizations before a fix is available.
Last year in October, the company urged customers to patch devices against a critical authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager (CVE-2022-40684) because hackers started exploiting it.