New Fortinet's FortiNAC Vulnerability Exposes Networks to Code Execution Attacks

Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code.

Tracked as CVE-2023-33299, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization.

“A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service,” Fortinet said in an advisory published last week.

The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later -

• FortiNAC version 9.4.0 through 9.4.2
• FortiNAC version 9.2.0 through 9.2.7
• FortiNAC version 9.1.0 through 9.1.9
• FortiNAC version 7.2.0 through 7.2.1
• FortiNAC 8.8 all versions
• FortiNAC 8.7 all versions
• FortiNAC 8.6 all versions
• FortiNAC 8.5 all versions, and
• FortiNAC 8.3 all versions

Also resolved by Fortinet is a medium-severity vulnerability tracked as CVE-2023-33300 (CVSS score: 4.8), an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1. It has been fixed in FortiNAC versions 7.2.2 and 9.4.4.

Florian Hauser from German cybersecurity firm CODE WHITE has been credited with discovering and reporting the two bugs.

The alert follows the active exploitation of another critical vulnerability affecting FortiOS and FortiProxy (CVE-2023-27997, CVSS score: 9.2) that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Fortinet, earlier this month, acknowledged that the issue may have been abused in limited attacks targeting government, manufacturing, and critical infrastructure sectors, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog.

It also comes more than four months after Fortinet addressed a severe bug in FortiNAC (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution. The flaw has since come under active exploitation shortly after a proof-of-concept (PoC) was made available.

In a related development, Grafana has released patches for a critical security vulnerability (CVE-2023-3128) that could permit malicious attackers to bypass authentication and take over any account that uses Azure Active Directory for authentication.

“If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information,” Grafana said. “If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.