Critical vulnerability affecting Fortinet FortiNAC
Last week, Fortinet reported that they had internally discovered and patched a critical vulnerability (CVE-2022-39952) affecting a wide range of versions of their Fortinet FortiNAC product—a network access control solution. At the time of disclosure, the limited available information described the vulnerability as residing in the keyUpload scriptlet and being caused by external control of a filename or path. This could allow unauthenticated remote attackers to write arbitrary files to the system and in turn execute code.
On February 21, security company Horizon3.ai published an excellent analysis of the vulnerability based on comparing a vulnerable and fixed version of the product. We recommend reading their write-up to learn the full details. In summary, they determined that the vulnerability is caused by the /configWizard/keyUpload.jsp scriptlet accepting unauthenticated requests that can provide any ZIP file via the ‘key’ POST parameter. This ZIP file is extracted with elevated privileges from within the root directory, which allows writing files to arbitrary locations on the system. In turn, remote attackers can execute arbitrary code with root privileges.
This is a very basic vulnerability in a “zero-trust” security product that can be reliably exploited. In fact, along with their detailed analysis, Horizon3.ai provided exploit code that is currently available on Github. While we applaud Fortinet for openly addressing an internally discovered vulnerability rather than attempting to silently fix it, it is surprising that the vulnerability made it past their SDLC (Software Development Life Cycle) / SDL (Security Development Lifecycle) and into the product in the first place—in addition to remaining undetected for so long.
Track developments using VulnDB
This Fortinet FortiNAC vulnerability poses a significant risk to affected organizations, and immediate action is required to patch affected systems. Customers using Flashpoint’s VulnDB solution can track any developments for this vulnerability via VulnDB ID 313000.