www.belgium.be Logo of the federal government

WARNING: FORTINET PATCHES TWO CRITICAL SEVERITY VULNERABILITIES IN ITS PRODUCTS

Referentie: 
Advisory #2023-21
Versie: 
1.0
Geïmpacteerde software: 
FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.3 all versions
FortiNAC 8.4 all versions
FortiNAC 8.5 all versions
FortiNAC 8.6 all versions
FortiNAC 8.7 all versions
FortiNAC 8.8 all versions
FortiWeb versions 5.x all versions
FortiWeb versions 6.0.7 and below
FortiWeb versions 6.1.2 and below
FortiWeb versions 6.2.6 and below
FortiWeb versions 6.3.16 and below
FortiWeb versions 6.4 all versions
Type: 
Remote Code Execution (RCE), Stack-based Buffer Overflows
CVE/CVSS: 

CVE-2022-39952 (CVSS: 9.8)
CVE-2021-42756 (CVSS: 9.3)

Bronnen

https://www.fortiguard.com/psirt/FG-IR-22-300
https://www.fortiguard.com/psirt/FG-IR-21-186
https://nvd.nist.gov/vuln/detail/CVE-2022-39952
https://securityonline.info/fortinet-patches-critical-cve-2022-39952-cve-2021-42756-bugs-in-its-products/

Risico’s

Fortinet has released security updates to address a remote code execution (RCE) and a Stack‑based Buffer Overflows vulnerability, affecting FortiNAC web server and FortiWeb respectively. The impact to confidentiality, integrity and availability is high.

FortiNAC web server contains a remote code execution (RCE) flaw, CVE‑2022‑39952, that could allow an unauthenticated attacker to execute arbitrary code on the affected system.

Successful exploitation of the stack‑based overflows vulnerability, CVE-2021-42756, in FortiWeb’s proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specially crafted HTTP requests.

Beschrijving

The remote code execution vulnerability in Fortinet FortiNAC webserver affects versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7.

Whereas, the security flaw, CVE-2021-42756, in the proxy daemon of FortiWeb affects 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions.

A complete PoC (Proof of Concept) scripts for CVE-2022-39952 is available: https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/

There are currently no reports of these vulnerabilities being exploited in the wild.

Aanbevolen acties

The CCB recommends administrators to install updated versions of the FortiNAC webserver and FortiWeb proxy daemon released by the vendor.

At present, there is no mitigation advice or workarounds for the discovered security flaws, so updating the impacted products is the only recommended approach to address the risks.