Fortinet resolves critical vulnerability affecting network access control system
The bug could allow an unauthenticated user to execute unauthorised commands via specifically crafted requests
Fortinet has released software updates to address a critical vulnerability found in its FortiNAC network access control solution, which, if exploited, could potentially allow the execution of arbitrary code on vulnerable systems.
FortiNAC, developed by Fortinet, is a zero-trust network access (NAC) solution. It is specifically designed to enhance the security and control of network access within organisations.
With FortiNAC, network administrators gain the ability to define and enforce security policies, authenticate and authorise devices, and closely monitor network activity.
Fortinet says it has addressed a security vulnerability, identified as CVE-2023-33299, which has been assigned a critical severity score of 9.6 out of 10. This particular flaw is related to the deserialisation of untrusted data and could be exploited by an unauthenticated attacker through specifically crafted requests to the TCP/1050 service.
"A deserialisation of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorised code or commands via specifically crafted requests to the tcp/1050 service," Fortinet said in its advisory.
The following products are affected by this vulnerability:
- FortiNAC version 9.4.0 through 9.4.2
- FortiNAC version 9.2.0 through 9.2.7
- FortiNAC version 9.1.0 through 9.1.9
- FortiNAC version 7.2.0 through 7.2.1
- FortiNAC 8.8, all versions
- FortiNAC 8.7, all versions
- FortiNAC 8.6, all versions
- FortiNAC 8.5, all versions
- FortiNAC 8.3, all versions
To mitigate the risk associated with the vulnerability, it is recommended to upgrade to the following versions:
- FortiNAC 9.4.3 or above
- FortiNAC 9.2.8 or above
- FortiNAC 9.1.10 or above
- FortiNAC 7.2.2 or above
CVE-2023-33299 was discovered by Florian Hauser, a security researcher from Code White, a company specialising in penetration testing and threat intelligence services.
Due to the high severity of the issue, it is strongly advised that customers install the recommended version without delay.
In addition to addressing the critical RCE bug, Fortinet has also resolved a medium-severity vulnerability indexed as CVE-2023-33300. This particular vulnerability pertains to an improper access control issue that impacts FortiNAC versions 9.4.0 through 9.4.3 and FortiNAC versions 7.2.0 through 7.2.1.
The fix for this vulnerability is available in FortiNAC versions 7.2.2 and 9.4.4.
While Fortinet has not reported any known exploits for the identified vulnerabilities, it is important to note that attackers frequently target such vulnerabilities.
Previous vulnerabilities patched by Fortinet
Earlier this month, Fortinet acknowledged that a critical vulnerability (CVE-2023-27997, with a CVSS score of 9.2) impacting FortiOS and FortiProxy may have been abused in limited attacks targeting government, manufacturing, and critical infrastructure sectors
In response to this, the US Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgency for organisations to apply patches or take recommended mitigation measures.
Also this month, Fortinet addressed a critical remote code execution (RCE) vulnerability found in its SSL VPN appliances. This vulnerability, identified as CVE-2023-27997, allowed remote threat actors to exploit the flaw before authentication and gain unauthorised access to VPN connections.
It is noteworthy that this vulnerability could be exploited even if multi-factor authentication (MFA) was implemented.
In March, Fortinet released a fix for another critical vulnerability that impacted FortiOS and FortiProxy.
This vulnerability had the potential to allow unauthorised remote attackers to execute arbitrary code or launch a denial of service (DoS) attack by utilising specially crafted HTTP requests.
The vulnerability was assigned the CVE identifier CVE-2023-25610 and was described as a buffer underflow vulnerability in the administrative interface of FortiOS and FortiProxy.