Exploit released for critical Fortinet RCE flaws, patch now

Share:

Security researchers have released a proof-of-concept exploit for a critical-severity vulnerability (CVE-2022-39952) in Fortinet’s FortiNAC network access control suite.

Fortinet disclosed the security issue on February 16 and calculated a severity score of 9.8. The vendor warned that it could be leveraged by an unauthenticated attacker to write arbitrary files on the system and achieve remote code execution with the highest privileges.

Organizations using FortiNAC 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches were urged prioritize applying the available security updates.

Today, the researchers at Horizon3 cybersecurity company published a technical post detailing the vulnerability and how it can be exploited. Proof-of-concept (PoC) exploit code is also available from the company’s repository on GitHub.

Attacking FortiNAC

The released PoC involves writing a cron job to /etc/cron.d/ that triggers every minute to initiate a root reverse shell to the attacker, giving them remote code execution capabilities.

The analysts discovered that the fix for CVE-2022-39952 removed ‘keyUpload.jsp,’ an endpoint that parses requests for a ‘key’ parameter, writes it on a config file, and then executes a bash script, ‘configApplianceXml.’

The bash script executes the ‘unzip’ command on the newly written file, but just before that, the script calls “cd /.”

“Unzip will allow placing files in any paths as long as they do not traverse above the current working directory,” Horizon3 explains.

“Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written,” the researchers added.

Hence, an attacker can create a ZIP archive that contains the payload, specifying where it must be extracted, and then send it to the vulnerable endpoint using the key parameter. Horizon3 says the reverse shell should be ready within a minute.

The ‘key’ parameter ensures that the malicious request will reach ‘keyUpload.jsp,’ which is the unauthenticated endpoint that Fortinet removed in the fixed versions of FortiNAC.

The code from Horizon3 automates this process and could be picked up and modified by threat actors into a weaponized exploit. It can also help defenders build appropriate protection against exploitation attempts on corporate networks.

FortiNAC administrators are strongly recommended to immediately upgrade to a version of the product that is not affected by the CVE-2022-39952 vulnerability., specifically FortiNAC 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer, and 7.2.0 or later.

 

(c) Bill Toulas

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

loader-image
Austria, AT
10:42 am, Dez. 28, 2024
weather icon 6°C
L: 6° H: 6°
overcast clouds
Humidity 87 %
Pressure 1030 mb
Wind 3 mph S
Wind Gust Wind Gust: 3 mph
UV Index UV Index: 0
Precipitation Precipitation: 0 mm
Clouds Clouds: 100%
Rain Chance Rain Chance: 0%
Visibility Visibility: 10 km
Sunrise Sunrise: 7:53 am
Sunset Sunset: 4:23 pm
DailyHourly
Daily ForecastHourly Forecast
Nach oben scrollen