CVE-2023-33299: Critical Remote Code Execution Vulnerability in FortiNAC


CVE-2023-33299: Critical Remote Code Execution Vulnerability in FortiNAC

Fortinet has released a patch fixing a remote code execution vulnerability in several versions of FortiNAC

Background

On June 23, Fortinet published an advisory (FG-IR-23-074) that addresses a critical remote code execution vulnerability in FortiNAC, its Network Access Control solution:

CVE Description CVSSv3 Severity
CVE-2023-33299 Fortinet ForitNAC deserialization of untrusted data vulnerability 9.6 Critical

In addition to CVE-2023-33299, Fortinet published an additional advisory (FG-IR-23-096) for a separate vulnerability in FortiNAC:

CVE Description CVSSv3 Severity
CVE-2023-33300 Fortinet ForitNAC command injection vulnerability 4.8 Medium

Both flaws were disclosed to Fortinet by security researcher Florian Hauser of CODE WHITE GmbH.

Analysis

CVE-2023-33299 is a deserialization of untrusted data vulnerability in FortiNAC. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the service running on TCP port 1050. Successful exploitation would give the attacker the ability to execute arbitrary code on the target device.

CVE-2023-33300 is a command injection vulnerability caused by improper neutralization of special elements used in commands affecting a smaller subset of versions of FortiNAC affected by CVE-2023-33299. The vulnerability allows an unauthenticated attacker to copy files locally on the device, but does not allow them to access them without having appropriate permissions. Unlike CVE-2023-33299, an attacker would need to be able to access the FortiNAC service on TCP port 5555.

Specified ports not commonly exposed to the public internet

In a blog post detailing his findings for both flaws, Hauser notes that there are a limited number of companies who have TCP ports 1050 and 5555 exposed to the internet. However, organizations that still utilize FortiNAC should apply these patches as soon as possible.

Previous FortiNAC vulnerability exploited in the wild in February 2023

Hauser’s research was inspired by the disclosure of a previous FortiNAC vulnerability in February 2023. Identified as CVE-2022-39952, the flaw was patched on February 16. However, on February 21, researchers at Shadowserver confirmed observed exploitation attempts against its honeypots:

Proof of concept

Proofs-of-concept (PoC) for both CVE-2023-33299 and CVE-2023-33300 are available in Hauser’s blog post.

Solution

Fortinet has released patches for both CVEs across various versions of FortiNAC:

Affected Versions Fixed Versions Associated CVEs
9.4.0 through 9.4.2 9.4.3 or above CVE-2023-33299
9.4.0 through 9.4.3 9.4.4 or above CVE-2023-33300
9.2.0 through 9.2.7 9.2.8 or above CVE-2023-33299
9.1.0 through 9.1.9 9.1.10 or above CVE-2023-33299
7.2.0 and 7.2.1 7.2.2 or above CVE-2023-33299, CVE-2023-33300
8.3 through 8.8 (all versions) Upgrade to a non-affected version CVE-2023-33299

Organizations are advised to apply these patches as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.





Source link