Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could leverage to execute code and commands.
FortiNAC is a allows organizations to manage network-wide access policies, gain visibility of devices and users, and secure the network against unauthorized access and threats.
The security issue is tracked as CVE-2023-33299 and received a critical severity score of 9.6 out of 10. It is a deserialization of untrusted data that may lead to remote code execution (RCE) without authentication.
“A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service” – Fortinet
The products impacted by this flaw are:
- FortiNAC version 9.4.0 through 9.4.2
- FortiNAC version 9.2.0 through 9.2.7
- FortiNAC version 9.1.0 through 9.1.9
- FortiNAC version 7.2.0 through 7.2.1
- FortiNAC 8.8, all versions
- FortiNAC 8.7, all versions
- FortiNAC 8.6, all versions
- FortiNAC 8.5, all versions
- FortiNAC 8.3, all versions
The recommended versions to upgrade to in order to address the risk that arises from the vulnerability are:
- FortiNAC 9.4.3 or above
- FortiNAC 9.2.8 or above
- FortiNAC 9.1.10 or above
- FortiNAC 7.2.2 or above
The vendor has provided no mitigation advice, so the recommended action is to apply the available security updates.
CVE-2023-33299 was discovered by Florian Hauser of Code White company that provides red team, penetration testing, and threat intelligence services.
Along with the critical RCE, Fortinet also annouced today that it fixed a medium-severity vulnerability tracked as CVE-2023-33300 – an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1.
“An improper neutralization of special elements used in a command (‘command injection’) vulnerability [CWE-77] in FortiNAC TCP/5555 service may allow an unauthenticated attacker to copy local files of the device to other local directories of the device via specially crafted input fields” – Fortinet
The lower severity is given by the fact that CVE-2023-33300 can be exploited locally by an attacker with sufficiently high privileges to access the copied data.
Update without delay
Due to the level of access and control on the network, Fortinet products are particularly attractive for hackers. For the past few years, Fortinet devices have represented a target for various threat actors, who breached organizations with zero-day exploits and by hitting unpatched devices.
A recent example is CVE-2022-39952, a critical RCE impacting FortiNAC that received a fix in mid-February but hackers started using it in attacks a few days later, after proof-of-concept code was published.
In January, Fortinet warned that threat actors had exploited a vulnerability in FortiOS SSL-VPN (CVE-2022-42475) in attacks against government organizations before a fix was available.
Last year in October, the company urged customers to patch devices against a critical authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager (CVE-2022-40684) because hackers started exploiting it.