Fortinet’s FortiNAC Vulnerability Poses Risk of Code Execution Attacks on Networks

Fortinet has issued critical updates to mitigate a severe security vulnerability in its FortiNAC network access control solution that poses a significant risk of arbitrary code execution. This flaw, identified as CVE-2023-33299, has been assigned a severity score of 9.6 on the CVSS scale, categorizing it as highly critical.

The vulnerability stems from a Java untrusted object deserialization issue, which allows for the possibility of executing unauthorized commands by malicious actors. As noted in Fortinet’s advisory, an unauthenticated user could potentially exploit this vulnerability through specially crafted requests directed at the tcp/1050 service.

The impacted FortiNAC products include versions ranging from 7.2.0 to 9.4.2, with patches available in newer releases such as FortiNAC 7.2.2, 9.1.10, 9.2.8, and 9.4.3. Among the affected versions are FortiNAC 8.5, 8.6, 8.7, and 8.8, along with earlier iterations of the 9.x series.

Fortinet has also addressed a medium-severity vulnerability, tracked as CVE-2023-33300 (CVSS score: 4.8), linked to improper access control affecting FortiNAC versions 9.4.0 through 9.4.3 and 7.2.0 through 7.2.1. This vulnerability has been resolved in recent patches, demonstrating a proactive approach to ensuring the security of their solutions.

Florian Hauser, a researcher from the German cybersecurity firm CODE WHITE, is credited with discovering and reporting both vulnerabilities. These alerts come on the heels of the active exploitation of another critical vulnerability in FortiOS and FortiProxy, identified as CVE-2023-27997. This vulnerability too could allow an attacker to execute arbitrary commands through specially crafted requests.

The aforementioned critical vulnerabilities raise concerns about the security of targeted sectors, particularly government, manufacturing, and critical infrastructure. After the recent exploitations, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these vulnerabilities in their Known Exploited Vulnerabilities (KEV) catalog, underscoring the gravity of the situation.

In an adjacent development, Grafana has released patches for another serious security flaw, CVE-2023-3128, which allows malicious actors to bypass authentication processes in Azure Active Directory, potentially granting them full access to user accounts, sensitive customer data, and other private information.

Security professionals advising business owners are urged to closely monitor these developments and apply the respective patches to safeguard their infrastructure. Awareness of potential attack tactics, such as initial access via unauthenticated requests and privilege escalation through code execution, draws from the MITRE ATT&CK framework and highlights the ongoing risks in maintaining network security in today’s landscape.