CVE-2023-33299: Critical Remote Code Execution Vulnerability in FortiNAC
Fortinet has released a patch fixing a remote code execution vulnerability in several versions of FortiNAC
Background
On June 23, Fortinet published an advisory (FG-IR-23-074) that addresses a critical remote code execution vulnerability in FortiNAC, its Network Access Control solution:
| CVE | Description | CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-33299 | Fortinet ForitNAC deserialization of untrusted data vulnerability | 9.6 | Critical |
In addition to CVE-2023-33299, Fortinet published an additional advisory (FG-IR-23-096) for a separate vulnerability in FortiNAC:
| CVE | Description | CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-33300 | Fortinet ForitNAC command injection vulnerability | 4.8 | Medium |
Both flaws were disclosed to Fortinet by security researcher Florian Hauser of CODE WHITE GmbH.
Analysis
CVE-2023-33299 is a deserialization of untrusted data vulnerability in FortiNAC. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the service running on TCP port 1050. Successful exploitation would give the attacker the ability to execute arbitrary code on the target device.
CVE-2023-33300 is a command injection vulnerability caused by improper neutralization of special elements used in commands affecting a smaller subset of versions of FortiNAC affected by CVE-2023-33299. The vulnerability allows an unauthenticated attacker to copy files locally on the device, but does not allow them to access them without having appropriate permissions. Unlike CVE-2023-33299, an attacker would need to be able to access the FortiNAC service on TCP port 5555.
Specified ports not commonly exposed to the public internet
In a blog post detailing his findings for both flaws, Hauser notes that there are a limited number of companies who have TCP ports 1050 and 5555 exposed to the internet. However, organizations that still utilize FortiNAC should apply these patches as soon as possible.
Previous FortiNAC vulnerability exploited in the wild in February 2023
Hauser’s research was inspired by the disclosure of a previous FortiNAC vulnerability in February 2023. Identified as CVE-2022-39952, the flaw was patched on February 16. However, on February 21, researchers at Shadowserver confirmed observed exploitation attempts against its honeypots:
We are seeing @Fortinet FortiNAC CVE-2022-39952 exploitation attempts from multiple IPs in our honeypot sensors. A PoC was published earlier today. Make sure to upgrade your FortiNAC as specified in: https://t.co/edZEG2VOzL
— Shadowserver (@Shadowserver) February 21, 2023
Proof of concept
Proofs-of-concept (PoC) for both CVE-2023-33299 and CVE-2023-33300 are available in Hauser’s blog post.
Solution
Fortinet has released patches for both CVEs across various versions of FortiNAC:
| Affected Versions | Fixed Versions | Associated CVEs |
|---|---|---|
| 9.4.0 through 9.4.2 | 9.4.3 or above | CVE-2023-33299 |
| 9.4.0 through 9.4.3 | 9.4.4 or above | CVE-2023-33300 |
| 9.2.0 through 9.2.7 | 9.2.8 or above | CVE-2023-33299 |
| 9.1.0 through 9.1.9 | 9.1.10 or above | CVE-2023-33299 |
| 7.2.0 and 7.2.1 | 7.2.2 or above | CVE-2023-33299, CVE-2023-33300 |
| 8.3 through 8.8 (all versions) | Upgrade to a non-affected version | CVE-2023-33299 |
Organizations are advised to apply these patches as soon as possible.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Fortinet PSIRT: FG-IR-23-074 (CVE-2023-33299)
- Fortinet PSIRT: FG-IR-23-096 (CVE-2023-33300)
- FortiNAC - Just a few more RCEs
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
September 26, 2024Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Cybersecurity Snapshot: Critical Infrastructure Orgs Found Vulnerable to Basic Hacks, While New MITRE Tool Uses ML to Predict Attack Chains
September 20, 2024Report finds that many critical infrastructure networks can be breached using simple attacks. Plus, a new MITRE Engenuity tool uses machine learning to infer attack sequences. Meanwhile, CISA will lead a project to standardize civilian agencies’ cyber operations. And get the latest on XSS vulnerabilities, CIS Benchmarks and a China-backed botnet’s takedown!
Microsoft’s September 2024 Patch Tuesday Addresses 79 CVEs (CVE-2024-43491)
September 10, 2024Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Vulnerability Management
- Exposure Management
- Vulnerability Management