Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could exploit to execute code and commands.

FortiNAC enables organizations to manage network-wide access policies, gain device and user visibility, and secure the network against unauthorized access and threats.

The security issue is tracked as CVE-2023-33299 and received a critical severity score of 9.6 out of 10. It is an untrusted data deserialization that may lead to remote code execution ( RCE) without authentication.

“A Deserialization of Untrusted Data Vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specially crafted requests to the TCP/1050 service” – Fortinet

The products impacted by this flaw are:

  • FortiNAC versions 9.4.0 to 9.4.2
  • FortiNAC versions 9.2.0 to 9.2.7
  • FortiNAC versions 9.1.0 to 9.1.9
  • FortiNAC versions 7.2.0 to 7.2.1
  • FortiNAC 8.8, all versions
  • FortiNAC 8.7, all versions
  • FortiNAC 8.6, all versions
  • FortiNAC 8.5, all versions
  • FortiNAC 8.3, all versions

The recommended versions for upgrading to address the vulnerability risk are:

  • FortiNAC 9.4.3 or higher
  • FortiNAC 9.2.8 or higher
  • FortiNAC 9.1.10 or higher
  • FortiNAC 7.2.2 or higher

The vendor has not provided any mitigation advice, so the recommended action is to apply available security updates.

CVE-2023-33299 was discovered by Florian Hauser of Code White which provides red team, penetration testing and threat intelligence services.

Along with the critical RCE, Fortinet today also announced that it has fixed a medium severity vulnerability identified as CVE-2023-33300 – an inappropriate access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1.

“Improper neutralization of special elements used in a command vulnerability (“command injection”) [CWE-77] in the FortiNAC TCP/5555 service may allow an unauthenticated attacker to copy files local to the device to other local directories on the device via specially crafted input fields” – Fortinet

The lower severity is given by the fact that CVE-2023-33300 can be exploited locally by an attacker with high enough privileges to access the copied data.

Update without delay

Due to the level of access and control over the network, Fortinet products are particularly attractive to hackers. For the past few years, Fortinet devices have been a target for various threat actors, who have breached organizations with zero-day exploits and by hitting unpatched devices.

A recent example is CVE-2022-39952a critical RCE impacting FortiNAC which received a patch in mid-February but hackers started using it in attacks a few days later, after the proof-of-concept code was released.

In January, Fortinet warned that hackers had exploited a vulnerability in FortiOS SSL-VPN (CVE-2022-42475) in attacks against government organizations before a fix is ​​available.

Last year in October, the company urged customers to patch devices against a critical authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager (CVE-2022-40684) because hackers started exploiting it.

Source link