Fortinet Releases Security Updates for FortiNAC

Advisories include one critical vulnerability that could allow an attacker to execute unauthorised code or commands

Threat ID:: CC-4348
Threat Severity:: Medium
Published:: 23 June 2023 4:39 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Advisories include one critical vulnerability that could allow an attacker to execute unauthorised code or commands

Affected platforms

The following platforms are known to be affected:

FortiNAC

FortiNAC version 9.4.0 through 9.4.3
FortiNAC version 9.2.0 through 9.2.7
FortiNAC version 9.1.0 through 9.1.9
FortiNAC version 7.2.0 through 7.2.1
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions

Threat details

Introduction

Fortinet has released security advisories to address two vulnerabilities in FortiNAC products. The Critical vulnerability is known as CVE-2023-33299 and has a CVSSv3 score of 9.6. This vulnerability concerns deserialisation of untrusted data and could allow an unauthenticated user to execute unauthorised code or commands via specifically crafted requests.

The Medium severity vulnerability known as CVE-2023-33300 concerns command injection and could allow an unauthenticated attacker to copy local files of the device to other local directories of the device via specially crafted input fields.

Proof-of-concept released for CVE-2023-33299 and CVE-2023-33300

A proof-of-concept has been released for CVE-2023-33299 which is a remote code execution vulnerability and CVE-2023-33300, a command injection vulnerability. Exploitation is considered more likely.

Threat updates

Date	Update
26 Jun 2023	Proof-of-concept released Article updated to reflect the release of public proof-of-concept code.

Remediation advice

Affected organisations are encouraged to review Fortinet's Product Security Incident Response Team's PSIRT Advisories page and apply any relevant updates.

Remediation steps

Type	Step
Patch	FortiNAC - java untrusted object deserialization RCE\| FG-IR-23-074 https://www.fortiguard.com/psirt/FG-IR-23-074
Patch	FortiNAC - argument injection in XML interface on port tcp/5555 \| FG-IR-23-096 https://www.fortiguard.com/psirt/FG-IR-23-096

Definitive source of threat updates

https://www.fortiguard.com/psirt?date=06-2023

CVE Vulnerabilities

Status Published

CVE-2023-33299

A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed.

Status Reserved

CVE-2023-33300

Last edited: 26 June 2023 12:08 pm