WARNING: FORTINET PATCHES TWO CRITICAL SEVERITY VULNERABILITIES IN ITS PRODUCTS
CVE-2022-39952 (CVSS: 9.8)
CVE-2021-42756 (CVSS: 9.3)
Fortinet has released security updates to address a remote code execution (RCE) and a Stack‑based Buffer Overflows vulnerability, affecting FortiNAC web server and FortiWeb respectively. The impact to confidentiality, integrity and availability is high.
FortiNAC web server contains a remote code execution (RCE) flaw, CVE‑2022‑39952, that could allow an unauthenticated attacker to execute arbitrary code on the affected system.
Successful exploitation of the stack‑based overflows vulnerability, CVE-2021-42756, in FortiWeb’s proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specially crafted HTTP requests.
The remote code execution vulnerability in Fortinet FortiNAC webserver affects versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7.
Whereas, the security flaw, CVE-2021-42756, in the proxy daemon of FortiWeb affects 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions.
A complete PoC (Proof of Concept) scripts for CVE-2022-39952 is available: https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
There are currently no reports of these vulnerabilities being exploited in the wild.
The CCB recommends administrators to install updated versions of the FortiNAC webserver and FortiWeb proxy daemon released by the vendor.
At present, there is no mitigation advice or workarounds for the discovered security flaws, so updating the impacted products is the only recommended approach to address the risks.