Security researchers have released a proof-of-concept exploit for a critical-severity vulnerability (CVE-2022-39952) in Fortinet's FortiNAC network access control suite.

Fortinet disclosed the security issue on February 16 and calculated a severity score of 9.8. The vendor warned that it could be leveraged by an unauthenticated attacker to write arbitrary files on the system and achieve remote code execution with the highest privileges.

Organizations using FortiNAC 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches were urged prioritize applying the available security updates.

Today, the researchers at Horizon3 cybersecurity company published a technical post detailing the vulnerability and how it can be exploited. Proof-of-concept (PoC) exploit code is also available from the company's repository on GitHub.

Attacking FortiNAC

The released PoC involves writing a cron job to /etc/cron.d/ that triggers every minute to initiate a root reverse shell to the attacker, giving them remote code execution capabilities.

The analysts discovered that the fix for CVE-2022-39952 removed 'keyUpload.jsp,' an endpoint that parses requests for a 'key' parameter, writes it on a config file, and then executes a bash script, 'configApplianceXml.'

The bash script executes the 'unzip' command on the newly written file, but just before that, the script calls "cd /. Unzip will allow placing files in any paths as long as they do not traverse above the current working directory. Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written, the researchers added.

Hence, an attacker can create a ZIP archive that contains the payload, specifying where it must be extracted, and then send it to the vulnerable endpoint using the key parameter. Horizon3 says the reverse shell should be ready within a minute.

The 'key' parameter ensures that the malicious request will reach 'keyUpload.jsp,' which is the unauthenticated endpoint that Fortinet removed in the fixed versions of FortiNAC.

The code from Horizon3 automates this process and could be picked up and modified by threat actors into a weaponized exploit. It can also help defenders build appropriate protection against exploitation attempts on corporate networks. 

FortiNAC administrators are strongly recommended to immediately upgrade to a version of the product that is not affected by the CVE-2022-39952 vulnerability., specifically FortiNAC 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer, and 7.2.0 or later.

The information contained in this website is for general information purposes only. The information is gathered from BleepingComputer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.