The tech giant Fortinet has recently fixed critical vulnerabilities in its FortiNAC and FortiWeb products. Exploiting the vulnerabilities could allow remote code execution attacks. Given the critical severity of the flaws, users must rush to update their systems with the patched versions at the earliest.
Fortinet Disclosed FortiNAC And FortiWeb Vulnerabilities
Fortinet has recently shared details about the serious vulnerabilities affecting its security products, FortiNAC and FortiWeb.
Specifically, FortiNAC is a dedicated network access control solution ensuring zero-trust access to the intended network. It works well for securing sensitive networks, IoT, IT, and connected infrastructure. FortiWeb is a web application firewall (WAF) protecting web apps and APIs against known exploits.
Regarding FortiNAC, the vendor highlighted the existence of an external control of file name or path vulnerability in keyUpload scriptlet. Exploiting the vulnerability could allow an unauthenticated adversary to perform arbitrary write on the target system. As mentioned in Fortinet’s advisory, the vulnerability, CVE-2022-39952, received a critical severity rating with a CVSS score of 9.8.
This vulnerability affects the FortiNAC version 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8 (all versions), 8.7 (all versions), 8.6 (all versions), 8.5 (all versions), and 8.3 (all versions).
As for FortiWeb, the firm mentioned the existence of stack-based buffer overflow in the firewall’s proxy daemon (Proxyd). Exploiting this vulnerability could let an attacker execute arbitrary codes on the target app without authentication. As explained in a separate advisory, triggering this flaw merely required the adversary to use maliciously crafted HTTP requests.
Fortinet described this vulnerability, CVE-2021-42756, as another critical severity issue that received a CVSS score of 9.3. It affected FortiWeb versions 5.x (all versions), 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, and 6.4 (all versions).
Bug Fixes Deployed – Update Asap
Upon discovering the vulnerabilities, Fortinet’s internal researchers highlighted the matter, triggering bug-fix development. Eventually, Fortinet patched the respective vulnerabilities with the subsequent FortiNAC and FortiWeb versions. Hence, users should update their systems with the following product releases.
- FortiNAC version 9.4.1 or above, version 9.2.6 or above, version 9.1.8 or above, and version 7.2.0 or above.
- FortiWeb 7.0.0 or above, 6.3.17 or above, 6.2.7 or above, 6.1.3 or above, and 6.0.8 or above.
Let us know your thoughts in the comments.