CVE-2023-33299: Critical Remote Code Execution Vulnerability in FortiNAC
Fortinet has released a patch fixing a remote code execution vulnerability in several versions of FortiNAC
Background
On June 23, Fortinet published an advisory (FG-IR-23-074) that addresses a critical remote code execution vulnerability in FortiNAC, its Network Access Control solution:
| CVE | Description | CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-33299 | Fortinet ForitNAC deserialization of untrusted data vulnerability | 9.6 | Critical |
In addition to CVE-2023-33299, Fortinet published an additional advisory (FG-IR-23-096) for a separate vulnerability in FortiNAC:
| CVE | Description | CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-33300 | Fortinet ForitNAC command injection vulnerability | 4.8 | Medium |
Both flaws were disclosed to Fortinet by security researcher Florian Hauser of CODE WHITE GmbH.
Analysis
CVE-2023-33299 is a deserialization of untrusted data vulnerability in FortiNAC. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the service running on TCP port 1050. Successful exploitation would give the attacker the ability to execute arbitrary code on the target device.
CVE-2023-33300 is a command injection vulnerability caused by improper neutralization of special elements used in commands affecting a smaller subset of versions of FortiNAC affected by CVE-2023-33299. The vulnerability allows an unauthenticated attacker to copy files locally on the device, but does not allow them to access them without having appropriate permissions. Unlike CVE-2023-33299, an attacker would need to be able to access the FortiNAC service on TCP port 5555.
Specified ports not commonly exposed to the public internet
In a blog post detailing his findings for both flaws, Hauser notes that there are a limited number of companies who have TCP ports 1050 and 5555 exposed to the internet. However, organizations that still utilize FortiNAC should apply these patches as soon as possible.
Previous FortiNAC vulnerability exploited in the wild in February 2023
Hauser’s research was inspired by the disclosure of a previous FortiNAC vulnerability in February 2023. Identified as CVE-2022-39952, the flaw was patched on February 16. However, on February 21, researchers at Shadowserver confirmed observed exploitation attempts against its honeypots:
We are seeing @Fortinet FortiNAC CVE-2022-39952 exploitation attempts from multiple IPs in our honeypot sensors. A PoC was published earlier today. Make sure to upgrade your FortiNAC as specified in: https://t.co/edZEG2VOzL
— Shadowserver (@Shadowserver) February 21, 2023
Proof of concept
Proofs-of-concept (PoC) for both CVE-2023-33299 and CVE-2023-33300 are available in Hauser’s blog post.
Solution
Fortinet has released patches for both CVEs across various versions of FortiNAC:
| Affected Versions | Fixed Versions | Associated CVEs |
|---|---|---|
| 9.4.0 through 9.4.2 | 9.4.3 or above | CVE-2023-33299 |
| 9.4.0 through 9.4.3 | 9.4.4 or above | CVE-2023-33300 |
| 9.2.0 through 9.2.7 | 9.2.8 or above | CVE-2023-33299 |
| 9.1.0 through 9.1.9 | 9.1.10 or above | CVE-2023-33299 |
| 7.2.0 and 7.2.1 | 7.2.2 or above | CVE-2023-33299, CVE-2023-33300 |
| 8.3 through 8.8 (all versions) | Upgrade to a non-affected version | CVE-2023-33299 |
Organizations are advised to apply these patches as soon as possible.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Fortinet PSIRT: FG-IR-23-074 (CVE-2023-33299)
- Fortinet PSIRT: FG-IR-23-096 (CVE-2023-33300)
- FortiNAC - Just a few more RCEs
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Vulnerability Management
- Exposure Management
- Vulnerability Management