Security News > 2023 > February > Exploit released for critical Fortinet RCE flaws, patch now

Exploit released for critical Fortinet RCE flaws, patch now
2023-02-21 18:21

Security researchers have released a proof-of-concept exploit for a critical-severity vulnerability in Fortinet's FortiNAC network access control suite.

Proof-of-concept exploit code is also available from the company's repository on GitHub.

The analysts discovered that the fix for CVE-2022-39952 removed 'keyUpload.jsp,' an endpoint that parses requests for a 'key' parameter, writes it on a config file, and then executes a bash script, 'configApplianceXml.

The bash script executes the 'unzip' command on the newly written file, but just before that, the script calls "Cd /.".

"Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written," the researchers added.

The 'key' parameter ensures that the malicious request will reach 'keyUpload.jsp,' which is the unauthenticated endpoint that Fortinet removed in the fixed versions of FortiNAC. The code from Horizon3 automates this process and could be picked up and modified by threat actors into a weaponized exploit.


News URL

https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-fortinet-rce-flaws-patch-now/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-02-16 CVE-2022-39952 Exposure of Resource to Wrong Sphere vulnerability in Fortinet Fortinac
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
network
low complexity
fortinet CWE-668
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Fortinet 169 57 403 183 81 724