Fortinet Patches Critical Arbitrary Code Execution Vulnerability in FortiNAC (CVE-2023-33299)

Posted by Author Diksha Ojha on Posted on

Fortinet addressed an arbitrary code execution vulnerability in FortiNAC. CVE-2023-33299 has been rated as critical with a CVSS base score of 9.6. Florian Hauser from CODE WHITE has discovered and reported the vulnerability to Fortinet. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute unauthorized code on the target system.

FortiNAC is Fortinet’s network access control solution. It enhances the Security Fabric with visibility, control, and automated response for everything connected to the network. FortiNAC protects against IoT threats, extends control to third-party devices, and organizes automatic responses to various networking events.

Vulnerability Details

The deserialization of untrusted data vulnerability may allow an unauthenticated user to execute unauthorized code with the help of specifically crafted requests to the TCP/1050 service.

Due to the deserialization of untrusted data the application deserializes untrusted data without sufficiently verifying the validity of the resulting data. Deserialization’s logic could be misused to produce recursive object graphs or never provide the data expected to terminate reading.

Affected Versions

  • FortiNAC version 9.4.0 through 9.4.2
  • FortiNAC version 9.2.0 through 9.2.7
  • FortiNAC version 9.1.0 through 9.1.9
  • FortiNAC version 7.2.0 through 7.2.1
  • FortiNAC 8.8, all versions
  • FortiNAC 8.7, all versions
  • FortiNAC 8.6, all versions
  • FortiNAC 8.5, all versions
  • FortiNAC 8.3, all versions

Mitigation

  • FortiNAC version 9.4.3 or above
  • FortiNAC version 9.2.8 or above
  • FortiNAC version 9.1.10 or above
  • FortiNAC version 7.2.2 or above

For more information, please refer to the PSIRT Advisory FG-IR-23-074.

Qualys Detection

Qualys customers can scan their devices with QID 730834 to detect vulnerable assets. This unauthenticated detection will send a GET request to the actions/system/local-properties/software-details endpoint and check for the affected installed version.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://www.fortiguard.com/psirt/FG-IR-23-074

https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data

Leave a Reply

Your email address will not be published. Required fields are marked *