Fortinet fixes critical FortiNAC RCE, install updates asap

Pierluigi Paganini June 23, 2023

Fortinet addressed a critical remote command execution vulnerability, tracked as CVE-2023-33299, affecting FortiNAC solution.

FortiNAC is a network access control (NAC) solution designed by Fortinet that is used by organizations to secure and control access to networks by enforcing security policies, monitoring devices, and managing their access privileges.

FortiNAC helps organizations protect their network infrastructure by providing visibility and control over devices that connect to the network, such as laptops, smartphones, IoT devices, and other endpoints. It enables network administrators to define and enforce security policies, authenticate and authorize devices, and monitor network activity.

Fortinet has released security updates to address a critical vulnerability, tracked as CVE-2023-33299 (CVSS score 9.6/10), that can be exploited by an unauthenticated attacker to execute arbitrary code and commands on vulnerable devices.

“A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service.” reads the advisory.

The vulnerability was reported to the company by Florian Hauser from CODE WHITE.

Below are the impacted products:

FortiNAC version 9.4.0 through 9.4.2
FortiNAC version 9.2.0 through 9.2.7
FortiNAC version 9.1.0 through 9.1.9
FortiNAC version 7.2.0 through 7.2.1
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions

The company released the following updates to address the issue:

Please upgrade to FortiNAC version 9.4.3 or above
Please upgrade to FortiNAC version 9.2.8 or above
Please upgrade to FortiNAC version 9.1.10 or above
Please upgrade to FortiNAC version 7.2.2 or above

Customers are recommended to immediately install the above version due to the level of severity of the issue.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiNAC)

you might also like

leave a comment