[February 23, 2023] Update: The vulnerability has been exploited. Added the subheading“FortiNAC Vulnerability is Under Exploitation.”
[February 22, 2023] Update: Proof-of-concept exploit has been published. Added the subheading “Proof-of-Concept is Available.”
Fortinet has issued security updates to address 40 vulnerabilities in several product lines, which include 15 high-severity and 2 critical vulnerabilities. The two critical vulnerabilities reside in FortiNAC and FortiWeb products. Successful exploitation of the critical vulnerabilities tracked as CVE-2022-39952 and CVE-2021-42756 can allow an unauthenticated, remote attacker to execute arbitrary code.
Critical FortiNAC Vulnerability: CVE-2022-39952
The CVE-2022-39952 vulnerability (CVSS score: 9.8) affects Fortinet’s network access control product, FortiNAC, which provides network security by increasing visibility.
CVE-2022-39952 is an “external control of file name or path” vulnerability in the FortiNAC web server that could let an unauthenticated attacker perform arbitrary code or command write on the system via specially crafted HTTP requests.
Affected FortiNAC Versions
The CVE-2022-39952 vulnerability affects the following versions of the product:
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 – 9.2.5
- FortiNAC version 9.1.0 – 9.1.7
- FortiNAC 8.8, all versions
- FortiNAC 8.7, all versions
- FortiNAC 8.6, all versions
- FortiNAC 8.5, all versions
- FortiNAC 8.3, all versions
It is recommended that users who are still using vulnerable versions update to the following versions:
- 9.4.1 or later
- 9.2.6 or later
- 9.1.8 or later
- 7.2.0 or later
Proof-of-Concept is Available
The Horizon3 team has published a proof-of-concept exploit (PoC) on GitHub for the vulnerability and noted several other ways attackers could use to exploit the vulnerability.
In the PoC exploit, they make use of the keyUpload.jsp endpoint to obtain reverse shell as the root user.
They use CVE-2022-39952 to write a cron job in /etc/cron.d/payload, triggering a reverse shell every minute; a zip file with a defined extraction path is created and sent to the vulnerable endpoint with the key field.
FortiNAC Vulnerability is Under Exploitation
Attackers have started to target unpatched FortiNAC appliances with CVE-2022-39952 exploits.
Researcher Piotr Kijewski observed multiple exploitation attempts in Shadowserver honeypot sensors. GreyNoise and CronUp have also confirmed the attacks, detecting attempts from various IP addresses.
Researchers have noted that threat actors use cron jobs to open reverse shells to attackers’ IP addresses; malicious activity in these ongoing attacks matches Horizon3’s proof-of-concept capability.
It is common for vulnerabilities to be exploited after a proof-of-concept is released; therefore, it is recommended to patch your product as soon as possible to avoid these attacks.
Critical FortiWeb Vulnerability: CVE-2021-42756
The second vulnerability affecting FortiWeb is known as CVE-2021-42756 and has a critical CVSS score of 9.8.
FortiWeb is a web application firewall (WAF) solution created to defend web apps and APIs from various online threats, such as cross-site scripting, SQL injection, bot attacks, and DDoS.
FortiWeb’s proxy daemon has several stack-based buffer overflow flaws, which could allow an unauthorized remote attacker to execute arbitrary code by sending specially crafted HTTP requests.
Affected FortiWeb Versions
This vulnerability affects various versions of FortiWeb, which are:
- FortiWeb versions 5.x, all versions
- FortiWeb versions 6.0.7 and below
- FortiWeb versions 6.1.2 and below
- FortiWeb versions 6.2.6 and below
- FortiWeb versions 6.3.16 and below
- FortiWeb versions 6.4, all versions
To fix the issue, users should upgrade FortiWeb to:
- 7.0.0 or later
- 6.3.17 or later
- 6.2.7 or later
- 6.1.3 or later
- 6.0.8 or later
The vendor has not provided any mitigation advice or workarounds for these vulnerabilities, so applying the available security updates is the only way to mitigate the risks.
You can visit Fortinet’s security advisory for both vulnerabilities here: CVE-2022-39952 and CVE-2021-42756.
How Can SOCRadar Help?
SOCRadar is a helpful platform that keeps you informed on the newest security threats and vulnerabilities by collecting information on all known vulnerabilities and presenting it as user-friendly. The platform uses alerts to help you prioritize your actions and stay informed about potential risks to your organization. In addition, it provides a holistic perspective with SVRS (SOCRadar Vulnerability Risk Score), which it has created by taking advantage of many sources such as social media mentions.
You can utilize SOCRadar’s Vulnerability Intelligence module to access detailed information on vulnerabilities, allowing you to effectively manage any related issues and prioritize the necessary patches.