FortiWeb, FortiOS, FortiOS, and FortiProxy have 40 Vulnerabilities that Fortinet has Patched
DOWNLOAD PDFSUMMARY
FortiWeb, FortiOS, FortiNAS, and FortiProxy, among other software products, have all received security updates from Fortinet to fix 40 vulnerabilities.
RISK SCORING
CVE-ID CVSSv3 Score
CVE-2022-39952 9.8
CVE-2021-42756 9.8
TECHNICAL DETAILS
The most serious bug in the list is a vulnerability that affects FortiNAC network access control and could execute arbitrary code (CVE-2022-39952, CVSS score: 9.8).
The second weakness to be aware of is a group of stack-based buffer overflows in FortiWeb’s proxy daemon (CVE-2021-42756, CVSS score: 9.8) that could allow a remote, unauthenticated attacker to execute arbitrary code by crafting carefully chosen HTTP requests.
According to Fortinet, its product security team detected and disclosed both problems on an internal basis. It’s interesting to note that CVE-2021-42756 similarly seems to have been discovered in 2021 but was not made public until today.
AFFECTED PRODUCTS
The products impacted by the CVE-2022-39952 vulnerability are as follows:
• FortiNAC version 9.4.0
• FortiNAC version 9.2.0 through 9.2.5
• FortiNAC version 9.1.0 through 9.1.7
• FortiNAC 8.8 all versions
• FortiNAC 8.7 all versions
• FortiNAC 8.6 all versions
• FortiNAC 8.5 all versions, and
• FortiNAC 8.3 all versions
The FortiWeb versions listed are affected by CVE-2021-42756, although versions 6.0.8, 6.1.3, 6.2.7, 6.3.17, and 7.0.0 include patches for the issue.
RECOMMENDATIONS
• Users must act quickly to install the fixes since penetration testing company Horizon3.ai stated it will “soon” release a proof-of-concept (PoC) code for the vulnerability.
REFERENCES
• https://thehackernews.com/2023/02/fortinet-issues-patches-for-40-flaws.html
• https://www.fortiguard.com/psirt/FG-IR-22-300
• https://nvd.nist.gov/vuln/detail/CVE-2022-39952
• https://nvd.nist.gov/vuln/detail/CVE-2021-42756