Fortinet Addressed Critical RCE Vulnerability In FortiNAC Systems

The cybersecurity and technology provider, Fortinet, has recently addressed multiple security flaws affecting FortiNAC systems. This includes patching a critical remote code execution vulnerability that allowed unauthenticated code execution on the target FortiNAC system.

FortiNAC Vulnerability Could Allow Remote Attacks

The security researcher Florian Hauser from Code White Security discovered two different security issues in the latest FortiNAC versions.

Hauser became interested in analyzing this product after Fortinet addressed the critical vulnerability (CVE-2022-39952) in February this year. The researcher decided to analyze the FortiNAC version 9.4.1 to look for additional vulnerabilities, and he found two notable issues.

The first is a critical remote code execution vulnerability in FortiNAC (CVE-2023-33299; CVSS 9.6). Exploiting this RCE vulnerability could allow an unauthenticated remote adversary to execute arbitrary commands on target FortiNAC systems.

As elaborated in Fortinet’s advisory, this vulnerability existed due to deserialization of untrusted data. An attacker could exploit the flaw by sending maliciously crafted requests to the tcp/1050 service.

This vulnerability affected numerous FortiNAC versions, which include versions 9.4.0 through 9.4.2, 9.2.0 through 9.2.7, 9.1.0 through 9.1.9, 7.2.0 through 7.2.1, and all versions of FortiNAC 8.8, 8.7, 8.6, 8.5, 8.3.

The second issue is a medium-severity vulnerability (CVE-2023-33299; CVSS 4.8). As explained in Fortinet’s advisory,

An improper neutralization of special elements used in a command (‘command injection’) vulnerability [CWE-77] in FortiNAC tcp/5555 service may allow an unauthenticated attacker to copy local files of the device to other local directories of the device via specially crafted input fields.

However, exploiting the flaw required an attacker to have prior access to the target FortiNAC device with sufficient privileges.

This vulnerability affected FortiNAC versions 9.4.0 through 9.4.3 and 7.2.0 through 7.2.1.

The researcher has shared a detailed technical analysis of both vulnerabilities in his blog post.

Fortinet Patched The Flaw

Before publishing the write-up, the researcher responsibly disclosed the flaws to Fortinet and discussed with them the disclosure timeline. Fortinet agreed to the timeline, releasing the bug fixes in time with the latest FortiNAC version 9.4.1 and the subsequent releases of other versions.

Since the updates have been released, users must ensure updating their respective systems with the latest versions to avoid threats.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients