{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-012.pdf"
    },
    "title": "RCE vulnerabilities in Fortinet products",
    "serial_number": "2023-012",
    "publish_date": "20-02-2023 14:40:00",
    "description": "On February 16, 2023, Fortinet released advisories regarding critical vulnerabilities in FortiNAC and FortiWeb products that may allow unauthenticated attackers to perform remote arbitrary code or command execution.<br><br>The first vulnerability identified as CVE-2022-39952 (CVSS score of 9.8) and is related to the FortiNAC product. FortiNAC is Fortinet\u2019s network access control solution that enhances the Security Fabric. It also provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events.<br>The second vulnerability identified as CVE-2021-42756 (CVSS score of 9.8) and is related to FortiWeb products. FortiWeb is a web application firewall (WAF) that protects web applications and APIs from attacks that target known and unknown exploits and helps maintain compliance with regulations.",
    "url_title": "2023-012",
    "content_markdown": "--- \ntitle: 'RCE vulnerabilities in Fortinet  products'\nversion: '1.0'\nnumber: '2023-012'\noriginal_date: 'February 16, 2023'\ndate: 'February 20, 2023'\n---\n\n_History:_\n\n* _20/02/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn February 16, 2023, Fortinet released advisories regarding critical vulnerabilities in FortiNAC and FortiWeb products that may allow unauthenticated attackers to perform remote arbitrary code or command execution [1]. \n\nThe first vulnerability identified as `CVE-2022-39952` (CVSS score of 9.8) and is related to the FortiNAC product. FortiNAC is Fortinet\u2019s network access control solution that enhances the Security Fabric. It also provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events [2,3]. The second vulnerability identified as `CVE-2021-42756` (CVSS score of 9.8) and is related to FortiWeb products. FortiWeb is a web application firewall (WAF) that protects web applications and APIs from attacks that target known and unknown exploits and helps maintain compliance with regulations [4,5].\n\n# Technical Details\n\nThe vulnerability `CVE-2022-39952` is due to an external control of file name or path vulnerability in FortiNAC web server, and may allow an unauthenticated attacker to perform arbitrary write on the system [6].\n\nThe vulnerability `CVE-2021-42756` is due to multiple stack-based buffer overflow vulnerabilities in FortiWeb's proxy daemon, and may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests [7].\n\n# Affected Products\n\n**CVE-2022-39952** [6]:\n\n- FortiNAC version 9.4.0;\n- FortiNAC version 9.2.0 through 9.2.5;\n- FortiNAC version 9.1.0 through 9.1.7;\n- FortiNAC 8.8 all versions;\n- FortiNAC 8.7 all versions;\n- FortiNAC 8.6 all versions;\n- FortiNAC 8.5 all versions;\n- FortiNAC 8.3 all versions.\n\n**CVE-2021-42756** [7]:\n\n- FortiWeb 5.x all versions;\n- FortiWeb versions 6.0.7 and below;\n- FortiWeb versions 6.1.2 and below;\n- FortiWeb versions 6.2.6 and below;\n- FortiWeb versions 6.3.16 and below;\n- FortiWeb 6.4 all versions.\n\n# Recommendations\n\nUpgrade FortiNAC products to [6]:\n\n- FortiNAC version 9.4.1 or above;\n- FortiNAC version 9.2.6 or above;\n- FortiNAC version 9.1.8 or above;\n- FortiNAC version 7.2.0 or above.\n\nUpgrade FortiWeb products to [7]:\n\n- FortiWeb 7.0.0 or above;\n- FortiWeb 6.3.17 or above;\n- FortiWeb 6.2.7 or above;\n- FortiWeb 6.1.3 or above;\n- FortiWeb 6.0.8 or above.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/>\n\n[2] <https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortinac.pdf>\n\n[3] <https://nvd.nist.gov/vuln/detail/CVE-2022-39952>\n\n[4] <https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiWeb.pdf>\n\n[5] <https://nvd.nist.gov/vuln/detail/CVE-2021-42756>\n\n[6] <https://www.fortiguard.com/psirt/FG-IR-22-300>\n\n[7] <https://www.fortiguard.com/psirt/FG-IR-21-186>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>20/02/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On February 16, 2023, Fortinet released advisories regarding critical vulnerabilities in FortiNAC and FortiWeb products that may allow unauthenticated attackers to perform remote arbitrary code or command execution [1]. </p><p>The first vulnerability identified as <code>CVE-2022-39952</code> (CVSS score of 9.8) and is related to the FortiNAC product. FortiNAC is Fortinet\u2019s network access control solution that enhances the Security Fabric. It also provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events [2,3]. The second vulnerability identified as <code>CVE-2021-42756</code> (CVSS score of 9.8) and is related to FortiWeb products. FortiWeb is a web application firewall (WAF) that protects web applications and APIs from attacks that target known and unknown exploits and helps maintain compliance with regulations [4,5].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2022-39952</code> is due to an external control of file name or path vulnerability in FortiNAC web server, and may allow an unauthenticated attacker to perform arbitrary write on the system [6].</p><p>The vulnerability <code>CVE-2021-42756</code> is due to multiple stack-based buffer overflow vulnerabilities in FortiWeb's proxy daemon, and may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests [7].</p><h2 id=\"affected-products\">Affected Products</h2><p><strong>CVE-2022-39952</strong> [6]:</p><ul><li>FortiNAC version 9.4.0;</li><li>FortiNAC version 9.2.0 through 9.2.5;</li><li>FortiNAC version 9.1.0 through 9.1.7;</li><li>FortiNAC 8.8 all versions;</li><li>FortiNAC 8.7 all versions;</li><li>FortiNAC 8.6 all versions;</li><li>FortiNAC 8.5 all versions;</li><li>FortiNAC 8.3 all versions.</li></ul><p><strong>CVE-2021-42756</strong> [7]:</p><ul><li>FortiWeb 5.x all versions;</li><li>FortiWeb versions 6.0.7 and below;</li><li>FortiWeb versions 6.1.2 and below;</li><li>FortiWeb versions 6.2.6 and below;</li><li>FortiWeb versions 6.3.16 and below;</li><li>FortiWeb 6.4 all versions.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Upgrade FortiNAC products to [6]:</p><ul><li>FortiNAC version 9.4.1 or above;</li><li>FortiNAC version 9.2.6 or above;</li><li>FortiNAC version 9.1.8 or above;</li><li>FortiNAC version 7.2.0 or above.</li></ul><p>Upgrade FortiWeb products to [7]:</p><ul><li>FortiWeb 7.0.0 or above;</li><li>FortiWeb 6.3.17 or above;</li><li>FortiWeb 6.2.7 or above;</li><li>FortiWeb 6.1.3 or above;</li><li>FortiWeb 6.0.8 or above.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/\">https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortinac.pdf\">https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortinac.pdf</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2022-39952\">https://nvd.nist.gov/vuln/detail/CVE-2022-39952</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiWeb.pdf\">https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiWeb.pdf</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2021-42756\">https://nvd.nist.gov/vuln/detail/CVE-2021-42756</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-22-300\">https://www.fortiguard.com/psirt/FG-IR-22-300</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-21-186\">https://www.fortiguard.com/psirt/FG-IR-21-186</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}