Heads up, Fortinet users! Vendors patched numerous serious security vulnerabilities in the Fortinet FortiADc and FortiTester devices. The fixes arrive with the latest firmware updates, urging users to upgrade their respective devices.
Fortinet FortiADC And FortiTester Vulnerabilities
The cybersecurity giant Fortinet has recently disclosed multiple vulnerabilities affecting its products. The vulnerabilities typically affected its FortiADC – application delivery controller, and FortiTester – network device testing hardware.
The vendors haven’t shared many details about the security flaws, yet they have briefly described the issues alongside the detailed list of affected products.
Specifically, Fortinet mentioned detecting multiple command injection vulnerabilities in the FortiADC web interface.
According to its advisory, the bug existed due to the improper neutralization of special elements used in an OS command. Exploiting the flaw could allow an unauthenticated adversary accessing the web interface to execute commands via specially crafted HTTP requests.
Fortinet has labeled the flaw, CVE-2022-39947, as a high-severity vulnerability that received a CVSS score of 8.6. The affected products include FortiADC versions 7.0.0 through 7.0.1, 6.2.0 through 6.2.3, 5.4.0 through 5.4.5, and all versions of FortiADC 6.1 and 6.0.
Similarly, the vendors have shared another advisory highlighting the vulnerabilities in the FortiTester device. As described, they detected numerous command injection vulnerabilities in the GUI and API due to improper neutralization of special elements in OS commands. Exploiting the flaw could let an unauthenticated attacker execute arbitrary commands in the shell.
Fortinet described the vulnerability CVE-2022-35845 as a high-severity issue (CVSS 7.6) affecting FortiTester 7.1.0, 7.0 all versions, 4.0.0 through 4.2.0, and 2.3.0 through 3.9.1.
Fortinet Released The Bug Fixes
The security vendor acknowledged its Product Security Team members, Gwendal Guégniaud and Wilfried Djettchou, for discovering and reporting the FortiADC and FortiTester vulnerabilities, respectively.
Following the bug reports, Fortinet patched the vulnerabilities with the subsequent product updates. Hence, users should upgrade to the following versions to receive the fixes.
- FortiADC 7.0.2 or above, 6.2.4 or above, and 5.4.6 or above.
- FortiTester version 7.2.0 or above, 7.1.1 or above, 4.2.1 or above, and 3.9.2 or above
Let us know your thoughts in the comments.