Cyble – Critical Vulnerability In FortiNAC (CVE-2022-39952) Exposes Multiple Organizations To Cyberattacks

Publicly released Proof of Concept (POC) increases the likelihood of exploitation by Threat Actors

On 16^th Feb 2023, PSIRT released a security advisory for a critical vulnerability affecting multiple versions of FortiNAC, a product of Fortinet.

FortiNAC is a network access control solution aimed to provide visibility, control, and automated response to enterprise network that contains Information Technology (IT), Operational Technology (OT), and Internet of Things (IoT) devices.

The affected product is widely used in mid to large-size enterprises involving state and private entities. Hence preventing exploitation of CVE-2022-39952 is pivotal, and the issue needs to be addressed timely by the organizations using the affected version of FortiNAC.

Vulnerability Description

External control of file name or path vulnerability [CWE-73] in affected versions of FortiNAC web server may allow Threat Actors (TAs) to perform arbitrary write on the system and deploy web shells.

The vulnerable FortiNAC versions contain a file ”keyUpload.jsp”. The scriptlet provides a function that allows users to upload arbitrary files. The uploaded file is saved in “/bsc/campusMgr/config/upload. applianceKey”. Afterward “keyUpload.jsp” file runs a bash script located at “/bsc/campusMgr/bin/configApplianceXml” with root privileges to unzip the uploaded file.

Figure 1 Contents of configApplicanceXml — *Figure 1 – Contents of configApplianceXml*

As shown in Figure 1, The bash script calls unzip on the file that was written, but before that script calls cd /. While the working directory is /, the call unzips inside the bash script. It allows the arbitrary file to be written by an attacker, as attackers might upload arbitrary files to unauthenticated endpoints and allow remote code execution with root privileges on the target system.

Affected FortiNAC versions

FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions

Timeline of events

16^th February 2023 – PSIRT released an advisory
18^thFebruary 2023 – Horizon3.ai indicated the release of a Blog post and Proof of Concept
21^st February 2023 – Proof of Concept released in the public domain. – GitHub Link
22^nd February 2023 – Exploitation attempts were observed
24^th February 2023 – Nuclei template released in the public domain

Exposed Assets

One of the online scanners suggests that there are over 1k exposed FortiNAC internet exposed instances. The figure below shows a graphical representation of the same.

Figure 2 Geographical representation of Exposed FortiNAC instances — Figure 2 – Geographical representation of Exposed FortiNAC instances

Note: Exposed instances do not indicate vulnerable exposures.

Even though the exposure of Fortinet devices over the internet is huge, the amount of internet exposed FortiNAC is relatively very low.

Conclusion

Exposing critical assets over the internet provides a wider attack surface for Threat Actors (TAs) as the POC for CVE-2022-39952 is available in the public domain along with a fair amount of exposed assets. We might observe TAs targeting the internet exposed FortiNAC instances; as previously observed, Fortinet products have been exploited by TAs and also are actively sold over the dark web markets.

Hence owners of affected product are advised to update their firmware with the latest patch released by the official vendor.

Cyble actively monitors mass exploitation attempts of known vulnerabilities via its Global Sensor Intelligence Network and Darkweb monitoring, CRIL team will keep updating IOCs and new happening around CVE-2022-39952 in near future.

Indicators of Compromise

Indicators	Indicator Type	Description
173[.]249[.]56[.]171	IP	Malicious & Blacklisted IP as pointed out by online scanner.
173[.]212[.]243[.]253	IP	Malicious & Blacklisted IP as pointed out by online scanner.

Recommendations

Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
Continuous monitoring and logging can help in detecting network anomalies early.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39952

https://github.com/horizon3ai/CVE-2022-39952

https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/

https://www.fortiguard.com/psirt/FG-IR-22-300

https://www.fortinet.com/blog/psirt-blogs/cve-2022-39952-fortinac-perspective

Source: https://blog.cyble.com/2023/02/27/critical-vulnerability-in-fortinac-cve-2022-39952-exposes-multiple-organizations-to-cyberattacks/

Tags: EXPLOIT, IOT, PATCH, CVE, DARK WEB, VULNERABILITY, LATERAL MOVEMENT