Fortinet patches critical CVE-2022-39952 & CVE-2021-42756 bugs in its products

CVE-2022-39952

Fortinet has warned administrators to update the FortiNAC web server, and FortiWeb to the latest versions, which address two critical severity vulnerabilities.

The security flaw (tracked as CVE-2022-39952, CVSS score of 9.8) is a remote code execution in the FortiNAC’s keyUpload scriptlet that could allow unauthenticated threat actors to execute unauthorized code or commands via specifically crafted HTTP requests.

An external control of file name or path vulnerability [CWE-73] in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system,” Fortinet explains in a customer support bulletin.

Fortinet has advised the users to update to the latest available versions immediately. The complete list of products vulnerable to attacks attempting to exploit the CVE-2022-39952 flaw includes:

  • FortiNAC version 9.4.0
  • FortiNAC version 9.2.0 through 9.2.5
  • FortiNAC version 9.1.0 through 9.1.7
  • FortiNAC 8.8 all versions
  • FortiNAC 8.7 all versions
  • FortiNAC 8.6 all versions
  • FortiNAC 8.5 all versions
  • FortiNAC 8.3 all versions

Another critical bug, tracked as CVE-2021-42756 (CVSS score of 9.3), is the stack-based buffer overflows in FortiWeb’s proxy daemon that allows an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests. The flaw affects the below products:

  • FortiWeb versions 5.x all versions,
  • FortiWeb versions 6.0.7 and below,
  • FortiWeb versions 6.1.2 and below,
  • FortiWeb versions 6.2.6 and below,
  • FortiWeb versions 6.3.16 and below,
  • FortiWeb versions 6.4 all versions.

Per today’s customer support bulletin, Fortinet released security patches on Thursday, asking customers to update FortiADC, FortiExtender, FortiOS, FortiProxy & FortiSwitchManager, FortiWAN, FortiAnalyzer, FortiAuthenticator, FortiPortal, and FortiSandbox to the latest version.

At present, there is no mitigation advice or workarounds for the discovered security issues, so updating the impacted products is the only recommended approach to address the risks.