On Thursday, 16 February 2023, Fortinet patched two critical unauthenticated remote code execution vulnerabilities, one impacting FortiNAC (CVE-2022-39952) and one impacting FortiWeb (CVE-2021-42756). Both vulnerabilities were discovered by Fortinet’s Product Security team.
Based on CISA’s Known Exploited Vulnerabilities Catalog, threat actors have leveraged Fortinet vulnerabilities in campaigns. However, threat actors have not targeted FortiNAC or FortiWeb products historically. Arctic Wolf Labs has observed proof of concept (PoC) exploit code being made publicly available for CVE-2022-39952. Security researchers have also started seeing active exploitation of CVE-2022-39952 occurring in the wild now that PoC exploit code has been published.
CVE-2022-39952 (CVSS 9.8): An external control of file name or path in FortiNAC’s keyUpload scriptlet could allow an unauthenticated threat actor to perform arbitrary write on the vulnerable system.
Product | Impacted Versions | Fixed Versions |
FortiNAC | FortiNAC version 9.4.0 FortiNAC version 9.2.0 through 9.2.5 FortiNAC version 9.1.0 through 9.1.7 FortiNAC 8.8 all versions FortiNAC 8.7 all versions FortiNAC 8.6 all versions FortiNAC 8.5 all versions FortiNAC 8.3 all versions |
FortiNAC version 9.4.1 or above FortiNAC version 9.2.6 or above FortiNAC version 9.1.8 or above FortiNAC version 7.2.0 or above |
CVE-2021-42756 (CVSS 9.3): Multiple stack-based buffer overflow vulnerabilities in FortiWeb’s proxy daemon could allow an unauthenticated threat actor to execute arbitrary code via specially crafted HTTP requests.
- Based on the CVE number, Fortinet discovered the vulnerability in 2021. However, it was not disclosed until February 16, 2023.
Product | Impacted Versions | Fixed Versions |
FortiWeb |
FortiWeb versions 5.x all versions |
FortiWeb 7.0.0 or above |
Arctic Wolf will follow its standard internal processes to assess the impact of the newly reported vulnerabilities within its own environment and if impacted, will address it within the established remediation timelines in our Security Patching Policy.
Recommendations
Recommendation #1: Upgrade FortiNAC and/or FortiWEB
Arctic Wolf strongly recommends upgrading FortiNAC and FortiWeb to the latest versions to fully remediate the vulnerabilities and prevent potential exploitation.
Product | Fixed Versions |
FortiNAC |
FortiNAC version 9.4.1 or above |
FortiWeb |
FortiWeb 7.0.0 or above |
Note: Arctic Wolf recommends following change management best practices for applying security patches, including testing changes in a dev environment before deploying to production to avoid any operational impact.
References
- Fortinet Advisory (CVE-2022-39952): https://www.fortiguard.com/psirt/FG-IR-22-300
- Fortinet Advisory (CVE-2021-42756): https://www.fortiguard.com/psirt/FG-IR-21-186