Publicly released Proof of Concept (POC) increases the likelihood of exploitation by Threat Actors
On 16th Feb 2023, PSIRT released a security advisory for a critical vulnerability affecting multiple versions of FortiNAC, a product of Fortinet.
FortiNAC is a network access control solution aimed to provide visibility, control, and automated response to enterprise network that contains Information Technology (IT), Operational Technology (OT), and Internet of Things (IoT) devices.
The affected product is widely used in mid to large-size enterprises involving state and private entities. Hence preventing exploitation of CVE-2022-39952 is pivotal, and the issue needs to be addressed timely by the organizations using the affected version of FortiNAC.
External control of file name or path vulnerability [CWE-73] in affected versions of FortiNAC web server may allow Threat Actors (TAs) to perform arbitrary write on the system and deploy web shells.
The vulnerable FortiNAC versions contain a file ”keyUpload.jsp”. The scriptlet provides a function that allows users to upload arbitrary files. The uploaded file is saved in “/bsc/campusMgr/config/upload. applianceKey”. Afterward “keyUpload.jsp” file runs a bash script located at “/bsc/campusMgr/bin/configApplianceXml” with root privileges to unzip the uploaded file.
As shown in Figure 1, The bash script calls unzip on the file that was written, but before that script calls cd /. While the working directory is /, the call unzips inside the bash script. It allows the arbitrary file to be written by an attacker, as attackers might upload arbitrary files to unauthenticated endpoints and allow remote code execution with root privileges on the target system.
Affected FortiNAC versions
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 through 9.2.5
- FortiNAC version 9.1.0 through 9.1.7
- FortiNAC 8.8 all versions
- FortiNAC 8.7 all versions
- FortiNAC 8.6 all versions
- FortiNAC 8.5 all versions
- FortiNAC 8.3 all versions
Timeline of events
16th February 2023 – PSIRT released an advisory
18th February 2023 – Horizon3.ai indicated the release of a Blog post and Proof of Concept
21st February 2023 – Proof of Concept released in the public domain. – GitHub Link
22nd February 2023 – Exploitation attempts were observed
24th February 2023 – Nuclei template released in the public domain
One of the online scanners suggests that there are over 1k exposed FortiNAC internet exposed instances. The figure below shows a graphical representation of the same.
Note: Exposed instances do not indicate vulnerable exposures.
Even though the exposure of Fortinet devices over the internet is huge, the amount of internet exposed FortiNAC is relatively very low.
Exposing critical assets over the internet provides a wider attack surface for Threat Actors (TAs) as the POC for CVE-2022-39952 is available in the public domain along with a fair amount of exposed assets. We might observe TAs targeting the internet exposed FortiNAC instances; as previously observed, Fortinet products have been exploited by TAs and also are actively sold over the dark web markets.
Hence owners of affected product are advised to update their firmware with the latest patch released by the official vendor.
Cyble actively monitors mass exploitation attempts of known vulnerabilities via its Global Sensor Intelligence Network and Darkweb monitoring, CRIL team will keep updating IOCs and new happening around CVE-2022-39952 in near future.
Indicators of Compromise
|173[.]249[.]56[.]171||IP||Malicious & Blacklisted IP as pointed out by online scanner.|
|173[.]212[.]243[.]253||IP||Malicious & Blacklisted IP as pointed out by online scanner.|
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
- Continuous monitoring and logging can help in detecting network anomalies early.