Threat Research

Cyble – Critical Vulnerability In FortiNAC (CVE-2022-39952) Exposes Multiple Organizations To Cyberattacks

Securonix

Publicly released PoC for CVE-2022-39952 in FortiNAC enables threat actors to perform arbitrary file writes and potentially deploy web shells on vulnerable systems. The article highlights exposed FortiNAC instances, affected versions, and urges timely patching and network protections. #FortiNAC #CVE-2022-39952 #Fortinet #Horizon3AI

Keypoints

  • FortiNAC contains an external control of file name or path vulnerability (CWE-73) that may allow arbitrary writes and deployment of web shells.
  • Affected FortiNAC versions include 9.4.0; 9.2.0–9.2.5; 9.1.0–9.1.7; and all 8.x series (8.3–8.8).
  • A publicly released PoC and PSIRT advisories spurred exploitation activity and public proof-of-concept releases in February 2023.
  • Over 1,000 FortiNAC internet-exposed instances were reported, indicating a sizable attack surface (note: exposure does not equal vulnerability).
  • Attack chain involves uploading arbitrary files via keyUpload.jsp, which stores payload under /bsc/campusMgr/config/upload.applianceKey and triggers a root-privilege script at /bsc/campusMgr/bin/configApplianceXml to unzip the payload.
  • Recommended mitigations include patching firmware, network segmentation, regular vulnerability/pentest audits, and ongoing monitoring/logging.
  • IOC indicators include two malicious IPs observed in scans: 173.249.56.171 and 173.212.243.253.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – FortiNAC web server vulnerability exploited via publicly released PoC to perform arbitrary writes and deploy web shells. [External control of file name or path vulnerability [CWE-73] in affected versions of FortiNAC web server may allow Threat Actors to perform arbitrary write on the system and deploy web shells.]
  • [T1105] Ingress Tool Transfer – Uploading arbitrary files to unauthenticated endpoints enables remote code execution with root privileges, via a process described as uploading files and executing a root-privileged script. [The scriptlet provides a function that allows users to upload arbitrary files. The uploaded file is saved in ‘/bsc/campusMgr/config/upload. applianceKey’. Afterward ‘keyUpload.jsp’ file runs a bash script located at ‘/bsc/campusMgr/bin/configApplianceXml’ with root privileges to unzip the uploaded file.]
  • [T1059.004] Unix Shell – Use of a bash script to unzip and execute uploaded payload, indicating shell-based command execution. [As shown in Figure 1, The bash script calls unzip on the file that was written, but before that script calls cd /. While the working directory is /, the call unzips inside the bash script.]

Indicators of Compromise

  • [IP] Malicious & Blacklisted IPs – 173.249.56.171, 173.212.243.253
  • [File name] keyUpload.jsp – The scriptlet provides a function that allows users to upload arbitrary files
  • [File name] configApplianceXml – The bash script located at ‘/bsc/campusMgr/bin/configApplianceXml’
  • [File path] /bsc/campusMgr/config/upload.applianceKey – Uploaded payload storage path

Read more: https://blog.cyble.com/2023/02/27/critical-vulnerability-in-fortinac-cve-2022-39952-exposes-multiple-organizations-to-cyberattacks/