12

Companies urged to patch critical vulnerability in Fortinet FortiNAC

 2 years ago
source link: https://www.csoonline.com/article/3689010/companies-urged-to-patch-critical-vulnerability-in-fortinet-fortinac.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Companies urged to patch critical vulnerability in Fortinet FortiNAC

The high-severity vulnerability allows unauthorized users to write arbitrary files to the system, and it is being exploited.

By Lucian Constantin

CSO Senior Writer,

CSO | Feb 23, 2023 4:20 pm PST

Proof-of-concept exploit code is now available for a critical vulnerability in Fortinet FortiNAC appliances and attackers have already started using it in the wild. Users are advised to patch their systems as soon as possible.

FortiNAC is a zero-trust network access solution that can be deployed both as a hardware device or as a virtual machine appliance. It is used for network segmentation, visibility, and control of devices and users connected to the network. As such, it can be deployed at the network perimeter, making it an easier target for internet-based attacks. According to Shodan scans, more than 700,000 Fortinet devices are connected to the internet around the world.

Unauthenticated remote code execution

The vulnerability, tracked as CVE-2022-39952, was disclosed and patched by Fortinet last week. It allows unauthenticated attackers to write arbitrary files on the system, which can result in code or command execution. The flaw was discovered internally by a member of the Fortinet product security team and is rated 9.8 out of 10 on the CVSS severity scale.

Researchers from security consultancy Horizon3.ai performed a comparison of the patched and vulnerable FortiNAC appliance versions and were able to locate and confirm the vulnerability. It is located in a file called keyUpload.jsp that allows the upload of files that are then saved locally in the location /bsc/campusMgr/config.applianceKey.

The operating system then executes a bash script that runs an unzip command against the stored file. Initially this hinted at a potential path traversal vulnerability, where attackers could create an archive that, when unpacked, writes files outside of the intended path. However, this is not the case for unzip, which strips relative paths and therefore protects against path traversal issues, the researchers said. The bash script that calls unzip in this case first changes the current working directory to “/” which on Linux systems is the root of the partition.

"Unzip will allow placing files in any paths as long as they do not traverse above the current working directory," the researchers said. "Because the working directory is ‘/,’ the call unzip inside the bash script allows any arbitrary file to be written."

In other words, the attackers can create a zip file that unpacks its contents in any file path under the whole partition. To demonstrate a weaponized exploit, the Horizon3 researchers exploited the vulnerability to write a malicious payload under /etc/cron.d/ which is the scheduled task mechanism in Linux. This task executes every minute and initiates a reverse shell to the attacker.

Abusing cron.d is only one way of exploiting this flaw and achieving remote code execution. Attackers could also choose to overwrite any binary file on the system that they know the OS will execute, or they could add their own SSH key to a user profile, enabling remote access to that user via SSH.

"Unfortunately, the FortiNAC appliance does not allow access to the GUI unless a license key has been added, so no native GUI logs were available to check for indicators," the researchers said. "However, exploitation of the issue was observable in filesystem logs located at /bsc/logs/output.master. Specifically, you could check for the line Running configApplianceXml as long as the attacker has not cleared out this log file."

Fortinet advises users to upgrade to FortiNAC version 9.2.6 or above, 9.1.8 or above and 7.2.0 or above, depending on which supported release they use.

Active attacks using the FortiNAC vulnerability

CronUp, a cybersecurity company based in Chile, reported seeing attacks that exploit the FortiNAC vulnerability. First, they saw attempts that created reverse shells like in Horizon3's proof-of-concept.

Then attackers switched to deploying webshells -- web-based backdoor scripts that allow remote execution of commands. Two webshells observed so far were deployed under bsc/campusMgr/ui/ROOT/fortii.jsp and bsc/campusMgr/ui/ROOT/shell.jsp on vulnerable installations. GreyNoise, a service that tracks malicious traffic on the internet, added the ability to detect attacks targeting this vulnerability and has started seeing exploitation attempts.

This is not the first time when attackers target Fortinet products and security appliances. In January, Fortinet warned users that attackers were exploiting a critical vulnerability in FortiOS SSL-VPN that was patched in December to deploy a sophisticated Linux implant.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK