How To Fix CVE-2022-39952 & CVE-2021-42756- Two Critical Arbitrary Code Execution Vulnerabilities in Fortinet Products

In the recent Fortinet Monthly PSIRT Advisory Report, Fortinet has published advisories for a total of 40 vulnerabilities, of which 2 are Critical in severity. The vulnerabilities tracked under CVE identifiers CVE-2022-39952 & CVE-2021-42756 are identified as critical severity vulnerabilities as they got the CVSS score of 9.8 & 9.3 on the CVSS scale. As per the vendor, these vulnerabilities allow a remote attacker to perform arbitrary code execution and write an arbitrary file on the system. Since this flaw allows an unauthenticated, remote attacker to exploit this issue remotely and perform operations on the administrative interface, it is highly important to know how to fix CVE-2022-39952 and CVE-2021-42756, the two critical Arbitrary Code Execution vulnerabilities in Fortinet Products.

A Short Intro About the FortiNAC And FortiWeb

FortiNAC and FortiWeb are two distinct security platforms developed by Fortinet, a leading provider of cybersecurity solutions.

FortiNAC is a flexible and modular Network Access Control solution from Fortinet that enables organizations to customize solutions to fit their specific needs. It leverages existing IT infrastructure to provide unparalleled visibility into network activity, allowing for the automatic application of security policies across the entire network. With FortiNAC, organizations can manage access and identify devices and users on their network, ensuring the protection of sensitive data and resources.

FortiWeb, on the other hand, is a web application firewall designed to protect web-based applications and APIs against a variety of threats. It uses advanced threat detection techniques, including machine learning and behavioral analysis, to identify and prevent attacks such as SQL injection, cross-site scripting (XSS), and more. Additionally, FortiWeb offers features such as SSL offloading and load balancing, which can help improve application performance while maintaining security.

FortiNAC and FortiWeb are two powerful security platforms designed to address different aspects of an organization’s security needs. While FortiNAC provides network visibility and access control, FortiWeb protects web-based applications from a range of threats.

Summary of CVE-2022-39952 and CVE-2021-42756

Fortinet has released advisories for these two arbitrary code execution vulnerabilities in their February 2023 Monthly PSIRT Advisory Report. These vulnerabilities allow remote attackers to perform arbitrary code execution and write an arbitrary file on the vulnerable Fortinet products. Let’s see the summary of the two flaws, one after another.

CVE-2022-39952- External Control of File Name or Path in KeyUpload Scriptlet in FortiNAC

This is a critical vulnerability in FortiNAC, which has a CVSS score of 9.8 out of 10 on the CVSS scale. The flaw exists in the web server of FortiNAC, which allows an unauthenticated attacker to control or influence the paths or file names used in file system operations which leads to arbitrary file writie on the system. Attackers would try exploiting this vulnerability to access or modify files that should be restricted, such as system files or user data.

This flaw is based on CWE-73, which is an “External Control of File Name or Path” vulnerability. This flaw occurs due to improper implementation of user input to control file paths or names in the webserver of FortiNAC. An attacker can exploit this vulnerability by providing input that contains specially crafted characters or sequences to traverse directories, execute arbitrary code, or overwrite critical system files. Proper input validation and sanitization techniques should be implemented to prevent user input from being able to influence filesystem operations.

For example, applications can use a whitelist approach to restrict the types of characters and file paths that are allowed as user input. Additionally, file system permissions should be set correctly to restrict access to critical system files and directories.

CVE-2021-42756- Stack-based buffer overflows in Proxyd of FortiWeb

This is a critical vulnerability in FortiWeb, which has a CVSS score of 9.9 out of 10 on the CVSS scale. The flaw exists in the Proxy daemon of FortiWeb, which allows unauthenticated, remote attackers to achieve arbitrary code execution. Attackers would try exploiting this vulnerability to overwrite critical system data, cause the application to crash, or even execute arbitrary code.

This flaw is based on CWE-121, which is a “Stack-based Buffer Overflow” vulnerability. Generally, it occurs when an application attempts to store more data in a buffer than it can hold, causing the data to overflow into adjacent memory locations. An attacker can exploit this vulnerability by sending an HTTP request that contains specially crafted data, which can overwrite critical system data, cause the application to crash, or even execute arbitrary code.

Proper input validation and sanitization techniques should be implemented to ensure that the amount of data being stored in a buffer does not exceed its capacity. Additionally, developers should use safer functions and data structures that automatically check for buffer overflows and prevent them from occurring.

Fortinet Products Affected by the Two Critical Arbitrary Code Execution Vulnerabilities

There are multiple products affected by these four vulnerabilities. However, we have covered this information in the previous post, “Breaking Down the Latest February 2023 Monthly PSIRT Advisory Report From Fortinet“. We suggest checking out the post for a complete list of vulnerabilities. 

FortiNAC versions vulnerable to CVE-2022-39952:

FortiWeb versions vulnerable to CVE-2021-42756:

How To Fix CVE-2022-39952 & CVE-2021-42756- Two Critical Arbitrary Code Execution Vulnerabilities in Fortinet Products?

Fortinet acknowledged the vulnerability by releasing the patch last week. All the users of the vulnerable version of FortiNAC and FortiWeb are advised to upgrade their appliances to these versions:

If you want to upgrade FortiNAC, please refer this community post here.

Time needed: 15 minutes.

How to Upgrade FortiWeb?

FortiWeb can be upgraded in two ways: GUI and CLI. If you want to go for the manual upgrade process using GUI, you should download the upgrade image from support portal, go to the ‘File Upload’ underneath “System Information widget”. Upoload the downloaded file and wait the process to complete. That’s it. Check the firmware version to make sure the firmware upgrade is completed.

We hope this post would help you know how to fix CVE-2022-39952 and CVE-2021-42756, the two critical Arbitrary Code Execution vulnerabilities in Fortinet Products. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this. 

You may also like these articles: