In the recent Fortinet Monthly PSIRT Advisory Report, Fortinet has published advisories for a total of 40 vulnerabilities, of which 2 are Critical in severity. The vulnerabilities tracked under CVE identifiers CVE-2022-39952 & CVE-2021-42756 are identified as critical severity vulnerabilities as they got the CVSS score of 9.8 & 9.3 on the CVSS scale. As per the vendor, these vulnerabilities allow a remote attacker to perform arbitrary code execution and write an arbitrary file on the system. Since this flaw allows an unauthenticated, remote attacker to exploit this issue remotely and perform operations on the administrative interface, it is highly important to know how to fix CVE-2022-39952 and CVE-2021-42756, the two critical Arbitrary Code Execution vulnerabilities in Fortinet Products.
A Short Intro About the FortiNAC And FortiWeb
FortiNAC and FortiWeb are two distinct security platforms developed by Fortinet, a leading provider of cybersecurity solutions.
FortiNAC is a flexible and modular Network Access Control solution from Fortinet that enables organizations to customize solutions to fit their specific needs. It leverages existing IT infrastructure to provide unparalleled visibility into network activity, allowing for the automatic application of security policies across the entire network. With FortiNAC, organizations can manage access and identify devices and users on their network, ensuring the protection of sensitive data and resources.
FortiWeb, on the other hand, is a web application firewall designed to protect web-based applications and APIs against a variety of threats. It uses advanced threat detection techniques, including machine learning and behavioral analysis, to identify and prevent attacks such as SQL injection, cross-site scripting (XSS), and more. Additionally, FortiWeb offers features such as SSL offloading and load balancing, which can help improve application performance while maintaining security.
FortiNAC and FortiWeb are two powerful security platforms designed to address different aspects of an organization’s security needs. While FortiNAC provides network visibility and access control, FortiWeb protects web-based applications from a range of threats.
Summary of CVE-2022-39952 and CVE-2021-42756
Fortinet has released advisories for these two arbitrary code execution vulnerabilities in their February 2023 Monthly PSIRT Advisory Report. These vulnerabilities allow remote attackers to perform arbitrary code execution and write an arbitrary file on the vulnerable Fortinet products. Let’s see the summary of the two flaws, one after another.
CVE-2022-39952- External Control of File Name or Path in KeyUpload Scriptlet in FortiNAC
This is a critical vulnerability in FortiNAC, which has a CVSS score of 9.8 out of 10 on the CVSS scale. The flaw exists in the web server of FortiNAC, which allows an unauthenticated attacker to control or influence the paths or file names used in file system operations which leads to arbitrary file writie on the system. Attackers would try exploiting this vulnerability to access or modify files that should be restricted, such as system files or user data.
This flaw is based on CWE-73, which is an “External Control of File Name or Path” vulnerability. This flaw occurs due to improper implementation of user input to control file paths or names in the webserver of FortiNAC. An attacker can exploit this vulnerability by providing input that contains specially crafted characters or sequences to traverse directories, execute arbitrary code, or overwrite critical system files. Proper input validation and sanitization techniques should be implemented to prevent user input from being able to influence filesystem operations.
For example, applications can use a whitelist approach to restrict the types of characters and file paths that are allowed as user input. Additionally, file system permissions should be set correctly to restrict access to critical system files and directories.
CVE-2021-42756- Stack-based buffer overflows in Proxyd of FortiWeb
This is a critical vulnerability in FortiWeb, which has a CVSS score of 9.9 out of 10 on the CVSS scale. The flaw exists in the Proxy daemon of FortiWeb, which allows unauthenticated, remote attackers to achieve arbitrary code execution. Attackers would try exploiting this vulnerability to overwrite critical system data, cause the application to crash, or even execute arbitrary code.
This flaw is based on CWE-121, which is a “Stack-based Buffer Overflow” vulnerability. Generally, it occurs when an application attempts to store more data in a buffer than it can hold, causing the data to overflow into adjacent memory locations. An attacker can exploit this vulnerability by sending an HTTP request that contains specially crafted data, which can overwrite critical system data, cause the application to crash, or even execute arbitrary code.
Proper input validation and sanitization techniques should be implemented to ensure that the amount of data being stored in a buffer does not exceed its capacity. Additionally, developers should use safer functions and data structures that automatically check for buffer overflows and prevent them from occurring.
Fortinet Products Affected by the Two Critical Arbitrary Code Execution Vulnerabilities
There are multiple products affected by these four vulnerabilities. However, we have covered this information in the previous post, “Breaking Down the Latest February 2023 Monthly PSIRT Advisory Report From Fortinet“. We suggest checking out the post for a complete list of vulnerabilities.
FortiNAC versions vulnerable to CVE-2022-39952:
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 through 9.2.5
- FortiNAC version 9.1.0 through 9.1.7
- FortiNAC 8.8 all versions
- FortiNAC 8.7 all versions
- FortiNAC 8.6 all versions
- FortiNAC 8.5 all versions
- FortiNAC 8.3 all versions
FortiWeb versions vulnerable to CVE-2021-42756:
- FortiWeb versions 5.x all versions
- FortiWeb versions 6.0.7 and below
- FortiWeb versions 6.1.2 and below
- FortiWeb versions 6.2.6 and below
- FortiWeb versions 6.3.16 and below
- FortiWeb version 6.4 all versions
How To Fix CVE-2022-39952 & CVE-2021-42756- Two Critical Arbitrary Code Execution Vulnerabilities in Fortinet Products?
Fortinet acknowledged the vulnerability by releasing the patch last week. All the users of the vulnerable version of FortiNAC and FortiWeb are advised to upgrade their appliances to these versions:
- FortiNAC version 9.4.1 or above
- FortiNAC version 9.2.6 or above
- FortiNAC version 9.1.8 or above
- FortiNAC version 7.2.0 or above
- FortiWeb 7.0.0 or above
- FortiWeb 6.3.17 or above
- FortiWeb 6.2.7 or above
- FortiWeb 6.1.3 or above
- FortiWeb 6.0.8 or above
|External Control of File Name or Path in keyUpload scriptlet in FortiNAC
|FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions
|Please upgrade to FortiNAC version 9.4.1 or above
Please upgrade to FortiNAC version 9.2.6 or above
Please upgrade to FortiNAC version 9.1.8 or above
Please upgrade to FortiNAC version 7.2.0 or above
|Stack-based buffer overflows in Proxyd in FortiWeb
|FortiWeb versions 5.x all versions
FortiWeb versions 6.0.7 and below
FortiWeb versions 6.1.2 and below
FortiWeb versions 6.2.6 and below
FortiWeb versions 6.3.16 and below,
FortiWeb version 6.4 all versions
|Upgrade to FortiWeb 7.0.0 or above
Upgrade to FortiWeb 6.3.17 or above
Upgrade to FortiWeb 6.2.7 or above
Upgrade to FortiWeb 6.1.3 or above
Upgrade to FortiWeb 6.0.8 or above
If you want to upgrade FortiNAC, please refer this community post here.
Time needed: 15 minutes.
How to Upgrade FortiWeb?
FortiWeb can be upgraded in two ways: GUI and CLI. If you want to go for the manual upgrade process using GUI, you should download the upgrade image from support portal, go to the ‘File Upload’ underneath “System Information widget”. Upoload the downloaded file and wait the process to complete. That’s it. Check the firmware version to make sure the firmware upgrade is completed.
- Download the latest FortiWeb firmware from the support portal* Log in to the Customer Service & Support web portal here.
* Select the ‘Support‘ option then from the ‘Downloads‘ section.
* Select ‘Firmware Download’.
* Select ‘FortiWeb‘ from the product selection dropdown list
* ‘ Download‘ tab to get the available firmwares list
* Select the required firmware version, and select ‘HTTPS‘ to start downloading, then Save the image of firmware needed on the local disk.
- Upgrade FortiWeb via GUI* Login to FortiWeb via web UI.
* Browser to the below path.Go to: Dashboard-> Status-> System Information widget.
* Select the ‘Firmware Version‘, then select ‘Update Firmware‘ to start the upgrade procedure:
* Wait for the uploading process to be completed and for the Fortiweb to restart.
* Go to: Dashboard-> Status-> System Information widget to verify the FortiWeb firmware version.
- Upgrade FortiWeb via CLIA TFTP server is required to upgrade the firmware. Set up a TFTP server and download the latest FortiWeb firmware image to the TFTP server.
Make sure UDP port 69 is open between the TFTP server and the FortiWeb.
Login to FortiWeb via SSH.
Run the below command to initiate image transfer and the upgrade:
# execute restore image tftp
Note: Upgrade from CLI mode is only supported in V6.0 and later firmware.
Run this command to verify the FortiWeb firmware version.
# get sys status