Other official information and services: www.belgium.be

WARNING: FORTINET PATCHES TWO CRITICAL SEVERITY VULNERABILITIES IN ITS PRODUCTS

Référence:

Advisory #2023-21

Version:

1.0

Logiciels concernés :

FortiNAC version 9.4.0

FortiNAC version 9.2.0 through 9.2.5

FortiNAC version 9.1.0 through 9.1.7

FortiNAC 8.3 all versions

FortiNAC 8.4 all versions

FortiNAC 8.5 all versions

FortiNAC 8.6 all versions

FortiNAC 8.7 all versions

FortiNAC 8.8 all versions

FortiWeb versions 5.x all versions

FortiWeb versions 6.0.7 and below

FortiWeb versions 6.1.2 and below

FortiWeb versions 6.2.6 and below

FortiWeb versions 6.3.16 and below

FortiWeb versions 6.4 all versions

Type:

Remote Code Execution (RCE), Stack-based Buffer Overflows

CVE/CVSS:

CVE-2022-39952 (CVSS: 9.8)
CVE-2021-42756 (CVSS: 9.3)

Date:

23/02/2023

Sources

https://www.fortiguard.com/psirt/FG-IR-22-300
https://www.fortiguard.com/psirt/FG-IR-21-186
https://nvd.nist.gov/vuln/detail/CVE-2022-39952
https://securityonline.info/fortinet-patches-critical-cve-2022-39952-cve-2021-42756-bugs-in-its-products/

Risques

Fortinet has released security updates to address a remote code execution (RCE) and a Stack‑based Buffer Overflows vulnerability, affecting FortiNAC web server and FortiWeb respectively. The impact to confidentiality, integrity and availability is high.

FortiNAC web server contains a remote code execution (RCE) flaw, CVE‑2022‑39952, that could allow an unauthenticated attacker to execute arbitrary code on the affected system.

Successful exploitation of the stack‑based overflows vulnerability, CVE-2021-42756, in FortiWeb’s proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specially crafted HTTP requests.

Description

The remote code execution vulnerability in Fortinet FortiNAC webserver affects versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7.

Whereas, the security flaw, CVE-2021-42756, in the proxy daemon of FortiWeb affects 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions.

A complete PoC (Proof of Concept) scripts for CVE-2022-39952 is available: https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/

There are currently no reports of these vulnerabilities being exploited in the wild.

Actions recommandées

The CCB recommends administrators to install updated versions of the FortiNAC webserver and FortiWeb proxy daemon released by the vendor.

At present, there is no mitigation advice or workarounds for the discovered security flaws, so updating the impacted products is the only recommended approach to address the risks.