Security News > 2023 > February > PoC exploit, IoCs for Fortinet FortiNAC RCE released (CVE-2022-39952)

PoC exploit, IoCs for Fortinet FortiNAC RCE released (CVE-2022-39952)
2023-02-21 14:25

Horizon3's Attack Team has released a PoC exploit for CVE-2022-39952, a critical vulnerability affecting FortiNAC, Fortinet's network access control solution.

"Similar to the weaponization of previous archive vulnerability issues that allow arbitrary file write, we use this vulnerability to write a cron job to /etc/cron.d/payload. This cron job gets triggered every minute and initiates a reverse shell to the attacker," shared Zach Hanley, Chief Attack Engineer at Horizon3.

"We first create a zip that contains a file and specify the path we want it extracted. Then, we send the malicious zip file to the vulnerable endpoint in the key field. Within a minute, we get a reverse shell as the root user."

He notes, it's possible defenders won't find it if attackers make sure to scrub the log file.

"Arbitrary file write vulnerabilities can be abused in several ways to obtain remote code execution. In this case, we write a cron job to /etc/cron.d/, but attackers could also overwrite and binary on the system that is regularly executed or SSH keys to a user profile," he added.

Enterprise admins who have missed the initial Fortinet alert are advised to update their FortiNAC device(s) to version 9.4.1 or above, 9.2.6 or above, 9.1.8 or above, and 7.2.0 or above as soon as possible, because there are no available workarounds.


News URL

https://www.helpnetsecurity.com/2023/02/21/cve-2022-39952-poc/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-02-16 CVE-2022-39952 Exposure of Resource to Wrong Sphere vulnerability in Fortinet Fortinac
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
network
low complexity
fortinet CWE-668
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Fortinet 76 15 312 265 80 672