Fortinet Patches Critical RCE Vulnerabilities in FortiNAC and FortiWeb

Share :

On Thursday, February 16, 2023, Fortinet patched two critical unauthenticated remote code execution vulnerabilities, one impacting FortiNAC (CVE-2022-39952) and one impacting FortiWeb (CVE-2021-42756). Both vulnerabilities were discovered by Fortinet’s Product Security team.  

Based on CISA’s Known Exploited Vulnerabilities Catalog, threat actors have leveraged Fortinet vulnerabilities in campaigns. However, threat actors have not targeted FortiNAC or FortiWeb products historically. Arctic Wolf Labs has observed proof of concept (PoC) exploit code being made publicly available for CVE-2022-39952. Security researchers have also started seeing active exploitation of CVE-2022-39952 occurring in the wild now that PoC exploit code has been published. 

CVE-2022-39952 (CVSS 9.8): An external control of file name or path in FortiNAC’s keyUpload scriptlet could allow an unauthenticated threat actor to perform arbitrary write on the vulnerable system.  

Product  Impacted Versions  Fixed Versions 
FortiNAC  FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions 
FortiNAC version 9.4.1 or above
FortiNAC version 9.2.6 or above
FortiNAC version 9.1.8 or above
FortiNAC version 7.2.0 or above 

 

CVE-2021-42756 (CVSS 9.3): Multiple stack-based buffer overflow vulnerabilities in FortiWeb’s proxy daemon could allow an unauthenticated threat actor to execute arbitrary code via specially crafted HTTP requests.  

  • Based on the CVE number, Fortinet discovered the vulnerability in 2021. However, it was not disclosed until February 16, 2023.  
Product  Impacted Versions  Fixed Versions 
FortiWeb 

FortiWeb versions 5.x all versions
FortiWeb versions 6.0.7 and below
FortiWeb versions 6.1.2 and below
FortiWeb versions 6.2.6 and below
FortiWeb versions 6.3.16 and below
FortiWeb versions 6.4 all versions 

FortiWeb 7.0.0 or above
FortiWeb 6.3.17 or above
FortiWeb 6.2.7 or above
FortiWeb 6.1.3 or above
FortiWeb 6.0.8 or above 

  

Arctic Wolf will follow its standard internal processes to assess the impact of the newly reported vulnerabilities within its own environment and if impacted, will address it within the established remediation timelines in our Security Patching Policy. 

Recommendations 

Recommendation #1: Upgrade FortiNAC and/or FortiWEB 

Arctic Wolf strongly recommends upgrading FortiNAC and FortiWeb to the latest versions to fully remediate the vulnerabilities and prevent potential exploitation. 

Product  Fixed Versions 
FortiNAC 

FortiNAC version 9.4.1 or above
FortiNAC version 9.2.6 or above
FortiNAC version 9.1.8 or above
FortiNAC version 7.2.0 or above 

FortiWeb 

FortiWeb 7.0.0 or above
FortiWeb 6.3.17 or above
FortiWeb 6.2.7 or above
FortiWeb 6.1.3 or above
FortiWeb 6.0.8 or above 

 

Note: Arctic Wolf recommends following change management best practices for applying security patches, including testing changes in a dev environment before deploying to production to avoid any operational impact. 

References 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter