Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

CVE-2023-33299: Critical Remote Code Execution Vulnerability in FortiNAC

$
0
0
CVE-2023-33299: Critical Remote Code Execution Vulnerability in FortiNAC

Fortinet has released a patch fixing a remote code execution vulnerability in several versions of FortiNAC

Background

On June 23, Fortinet published an advisory (FG-IR-23-074) that addresses a critical remote code execution vulnerability in FortiNAC, its Network Access Control solution:

CVEDescriptionCVSSv3Severity
CVE-2023-33299Fortinet ForitNAC deserialization of untrusted data vulnerability9.6Critical

In addition to CVE-2023-33299, Fortinet published an additional advisory (FG-IR-23-096) for a separate vulnerability in FortiNAC:

CVEDescriptionCVSSv3Severity
CVE-2023-33300Fortinet ForitNAC command injection vulnerability4.8Medium

Both flaws were disclosed to Fortinet by security researcher Florian Hauser of CODE WHITE GmbH.

Analysis

CVE-2023-33299 is a deserialization of untrusted data vulnerability in FortiNAC. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the service running on TCP port 1050. Successful exploitation would give the attacker the ability to execute arbitrary code on the target device.

CVE-2023-33300 is a command injection vulnerability caused by improper neutralization of special elements used in commands affecting a smaller subset of versions of FortiNAC affected by CVE-2023-33299. The vulnerability allows an unauthenticated attacker to copy files locally on the device, but does not allow them to access them without having appropriate permissions. Unlike CVE-2023-33299, an attacker would need to be able to access the FortiNAC service on TCP port 5555.

Specified ports not commonly exposed to the public internet

In a blog post detailing his findings for both flaws, Hauser notes that there are a limited number of companies who have TCP ports 1050 and 5555 exposed to the internet. However, organizations that still utilize FortiNAC should apply these patches as soon as possible.

Previous FortiNAC vulnerability exploited in the wild in February 2023

Hauser’s research was inspired by the disclosure of a previous FortiNAC vulnerability in February 2023. Identified as CVE-2022-39952, the flaw was patched on February 16. However, on February 21, researchers at Shadowserver confirmed observed exploitation attempts against its honeypots:

Proof of concept

Proofs-of-concept (PoC) for both CVE-2023-33299 and CVE-2023-33300 are available in Hauser’s blog post.

Solution

Fortinet has released patches for both CVEs across various versions of FortiNAC:

Affected VersionsFixed VersionsAssociated CVEs
9.4.0 through 9.4.29.4.3 or aboveCVE-2023-33299
9.4.0 through 9.4.39.4.4 or aboveCVE-2023-33300
9.2.0 through 9.2.79.2.8 or aboveCVE-2023-33299
9.1.0 through 9.1.99.1.10 or aboveCVE-2023-33299
7.2.0 and 7.2.17.2.2 or aboveCVE-2023-33299, CVE-2023-33300
8.3 through 8.8 (all versions)Upgrade to a non-affected versionCVE-2023-33299

Organizations are advised to apply these patches as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.


Viewing all articles
Browse latest Browse all 1935

Trending Articles