Safety researchers have launched a proof-of-concept exploit for a critical-severity vulnerability (CVE-2022-39952) in Fortinet’s FortiNAC community entry management suite.
Fortinet disclosed the safety subject on February 16 and calculated a severity rating of 9.8. The seller warned that it may very well be leveraged by an unauthenticated attacker to jot down arbitrary recordsdata on the system and obtain distant code execution with the best privileges.
Organizations utilizing FortiNAC 9.4.0, 9.2.0 by means of 9.2.5, 9.1.0 by means of 9.1.7, and all variations on the 8.8, 8.7, 8.6, 8.5, and eight.3 branches have been urged prioritize making use of the obtainable safety updates.
At this time, the researchers at Horizon3 cybersecurity firm revealed a technical submit detailing the vulnerability and the way it may be exploited. Proof-of-concept (PoC) exploit code can be obtainable from the company’s repository on GitHub.
The launched PoC includes writing a cron job to /and so forth/cron.d/ that triggers each minute to provoke a root reverse shell to the attacker, giving them distant code execution capabilities.
The analysts found that the repair for CVE-2022-39952 eliminated ‘keyUpload.jsp,’ an endpoint that parses requests for a ‘key’ parameter, writes it on a config file, after which executes a bash script, ‘configApplianceXml.’
The bash script executes the ‘unzip’ command on the newly written file, however simply earlier than that, the script calls “cd /.”
“Unzip will enable inserting recordsdata in any paths so long as they don’t traverse above the present working listing,” Horizon3 explains.
“As a result of the working listing is /, the decision unzip contained in the bash script permits any arbitrary file to be written,” the researchers added.
Therefore, an attacker can create a ZIP archive that incorporates the payload, specifying the place it have to be extracted, after which ship it to the susceptible endpoint utilizing the important thing parameter. Horizon3 says the reverse shell needs to be prepared inside a minute.
The ‘key’ parameter ensures that the malicious request will attain ‘keyUpload.jsp,’ which is the unauthenticated endpoint that Fortinet eliminated within the mounted variations of FortiNAC.
The code from Horizon3 automates this course of and may very well be picked up and modified by menace actors right into a weaponized exploit. It could actually additionally assist defenders construct acceptable safety towards exploitation makes an attempt on company networks.
FortiNAC directors are strongly really useful to right away improve to a model of the product that isn’t affected by the CVE-2022-39952 vulnerability., particularly FortiNAC 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer, and seven.2.0 or later.