Black Arrow Cyber Advisory - 26 June 2023 – Organisations Urged to Address Critical Vulnerability Found in Fortinet’s FortiNAC Products
Executive summary
A critical vulnerability has been identified and addressed in Fortinet FortiNAC products. Fortinet’s FortiNAC is a network access control solution and successful exploitation of the critical vulnerability allows a threat actor to remotely execute code without requiring authentication. In addition, another vulnerability which allowed improper local access in FortiNAC has been addressed.
What’s the risk to me or my business?
The vulnerabilities, if exploited, could allow an attacker to remotely execute code as well as copy local files. Both of which compromise the confidentiality, integrity and availability of data in your organisation.
Technical Summary
CVE-2023-33299– This critical vulnerability is an untrusted object deserialization, allowing an unauthenticated user to execute code or commands via specifically crafted requests.
CVE-2023-33300- This vulnerability allows an unauthenticated attacker to copy local files to other local folders of a device, through specially crafted input fields. It requires local access.
What can I do?
There is no mitigation advice for the critical vulnerability (CVE-2023-33299). As such, customers are urged to immediately upgrade their FortiNAC version depending on the affected product in use. There is no upgrade available for any FortiNAC products running version 8.x. The other vulnerability, CVE-2023-33300, requires users on affected versions to upgrade to 9.4.4 or above or 7.2.2 or above.
Affected products for the critical vulnerability and their patches include:
FortiNAC version 9.4.0 through 9.4.2 upgrade to 9.4.3 or above
FortiNAC version 9.2.0 through 9.2.7 upgrade to 9.2.8 or above
FortiNAC version 9.1.0 through 9.1.9 upgrade to 9.1.10 or above
FortiNAC version 7.2.0 through 7.2.1 upgrade to 7.2.2 or above
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions
Affected products for CVE-2023-33300 include:
FortiNAC 9.4.0 through 9.4.3 upgrade to 9.4.4. or above
FortiNAC 7.2.0 through 7.2.1 upgrade to 7.2.2 or above
Further details on Fortinet’s advisories for the critical vulnerability can be found here:
https://www.fortiguard.com/psirt/FG-IR-23-074
Further details on Fortinet’s advisory for CVE-2023-33300 can be found here
https://www.fortiguard.com/psirt/FG-IR-23-096
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity