FortiWeb, FortiOS, FortiNAC, and FortiProxy are among the software programs that Fortinet has updated with security patches to address 40 vulnerabilities, with two of them ranked as critical.
Here’s everything you need to know about CVE-2022-39952 and CVE-2021-42756.
What are CVE-2022-39952 and CVE-2021-42756?
CVE-2022-39952 refers to a vulnerability in FortiNAC, which is Fortinet’s network access control solution. Specifically, this CVE identifies an external control issue related to the file name or path in the webserver of FortiNAC. An unauthenticated attacker can use it to execute arbitrary writes on a vulnerable system. With a CVSS score of 9.8, this vulnerability is a serious security concern.
CVE-2021-42756 is a severe vulnerability in FortiWeb’s proxy daemon that has been assigned a “very critical” severity rating. This vulnerability is associated with multiple stack-based buffer overflow vulnerabilities and can allow attackers to remotely execute arbitrary code on the affected system using malicious HTTP requests. Although the vulnerability was discovered over a year ago, Fortinet has only recently provided patches for it, and it is unclear why there was a delay in doing so. Horizon3, an autonomous pen-testing company, has announced that it will soon publish a blog post on exploiting CVE-2021-42756 for remote code execution with root privileges. Given that there are many Fortinet systems exposed to the internet, it is believed that a significant number of them are vulnerable to attacks exploiting this vulnerability.
Do they affect me?
The following products are affected by CVE-2022-39952:
FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions
Versions of FortiWeb below are affected by CVE-2021-42756:
FortiWeb versions 6.4 all versions
FortiWeb versions 6.3.16 and below
FortiWeb versions 6.2.6 and below
FortiWeb versions 6.1.2 and below
FortiWeb versions 6.0.7 and below, and
FortiWeb versions 5.x all versions
Have CVE-2022-39952 and CVE-2021-42756 been actively exploited in the wild?
In the case of CVE-2022-39952, penetration testing company Horizon3.ai stated that it plans to release a proof-of-concept (PoC) code for the vulnerability “soon,” necessitating a rush on the part of users to apply the updates.
There is currently no proof of concept (PoC) available for CVE-2021-42756.
How to fix CVE-2022-39952 and CVE-2021-42756
CVE-2022-39952: FortiNAC versions 7.2.0, 9.1.8, 9.1.8, and 9.1.8 have patches available.
CVE-2021-42756: fixes are available in versions 6.0.8, 6.1.3, 6.2.7, 6.3.17, and 7.0.0
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Cyber risk in 2022- a 360° view report
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- VulnRX – the CVE fix directory
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate, and communicate your cyber risk across your entire organization. Get a demo today.
