Cybersecurity solutions company Fortinet has released security updates for its FortiNAC and FortiWeb products, addressing two critical-severity vulnerabilities that may allow unauthenticated attackers to perform arbitrary code or command execution.
The first flaw, impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical).
FortiNAC is a network access control solution that helps organizations gain real-time network visibility, enforce security policies, and detect and mitigate threats.
“An external control of file name or path vulnerability [CWE-73] in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system,” reads the security advisory.
The products impacted by this flaw are:
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 through 9.2.5
- FortiNAC version 9.1.0 through 9.1.7
- FortiNAC 8.8 all versions
- FortiNAC 8.7 all versions
- FortiNAC 8.6 all versions
- FortiNAC 8.5 all versions
- FortiNAC 8.3 all versions
The CVE-2022-39952 vulnerability is fixed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.
The second vulnerability impacts FortiWeb is CVE-2021-42756, which has a CVSS v3 score of 9.3 (critical).
FortiWeb is a web application firewall (WAF) solution designed to protect web apps and API from cross-site scripting (XSS), SQL injection, bot attacks, DDoS (distributed denial of service), and other online threats.
“Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiWeb’s proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests,” describes Fortinet’s advisory.
CVE-2021-42756 impacts the below versions:
- FortiWeb versions 5.x all versions
- FortiWeb versions 6.0.7 and below
- FortiWeb versions 6.1.2 and below
- FortiWeb versions 6.2.6 and below
- FortiWeb versions 6.3.16 and below
- FortiWeb versions 6.4 all versions
To address the flaw, admins should upgrade to FortiWeb 7.0.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later, and 6.0.8 or later.
Strangely, the CVE ID indicates that the vulnerability was discovered in 2021 but was not publicly disclosed until now.
The vendor has not provided mitigation advice or workarounds for either of the flaws, so applying the available security updates is the only way to address the risks.