Companies urged to patch critical vulnerability in Fortinet FortiNAC

Proof-of-concept exploit code is now available for a critical vulnerability in Fortinet FortiNAC appliances and attackers have already started using it in the wild. Users are advised to patch their systems as soon as possible.

FortiNAC is a zero-trust network access solution that can be deployed both as a hardware device or as a virtual machine appliance. It is used for network segmentation, visibility, and control of devices and users connected to the network. As such, it can be deployed at the network perimeter, making it an easier target for internet-based attacks. However, in a blog post Fortinet claims that “most organizations leverage FortiNAC in air-gapped environments” that are not exposed to the internet.

According to Shodan searches performed by CronUp, a cybersecurity company based in Chile, more than 700,000 devices made by Fortinet are connected to the internet around the world, but these are not only FortiNAC installations and they’re not necessarily vulnerable. Fortinet claims it has shipped over 10 million security appliances to date.

Unauthenticated remote code execution

The vulnerability, tracked as CVE-2022-39952, was disclosed and patched by Fortinet last week. It allows unauthenticated attackers to write arbitrary files on the system, which can result in code or command execution. The flaw was discovered internally by a member of the Fortinet product security team and is rated 9.8 out of 10 on the CVSS severity scale.

Researchers from security consultancy Horizon3.ai performed a comparison of the patched and vulnerable FortiNAC appliance versions and were able to locate and confirm the vulnerability. It is located in a file called keyUpload.jsp that allows the upload of files that are then saved locally in the location /bsc/campusMgr/config.applianceKey.

The operating system then executes a bash script that runs an unzip command against the stored file. Initially this hinted at a potential path traversal vulnerability, where attackers could create an archive that, when unpacked, writes files outside of the intended path. However, this is not the case for unzip, which strips relative paths and therefore protects against path traversal issues, the researchers said. The bash script that calls unzip in this case first changes the current working directory to “/” which on Linux systems is the root of the partition.

“Unzip will allow placing files in any paths as long as they do not traverse above the current working directory,” the researchers said. “Because the working directory is ‘/,’ the call unzip inside the bash script allows any arbitrary file to be written.”

In other words, the attackers can create a zip file that unpacks its contents in any file path under the whole partition. To demonstrate a weaponized exploit, the Horizon3 researchers exploited the vulnerability to write a malicious payload under /etc/cron.d/ which is the scheduled task mechanism in Linux. This task executes every minute and initiates a reverse shell to the attacker.

Abusing cron.d is only one way of exploiting this flaw and achieving remote code execution. Attackers could also choose to overwrite any binary file on the system that they know the OS will execute, or they could add their own SSH key to a user profile, enabling remote access to that user via SSH.

“Unfortunately, the FortiNAC appliance does not allow access to the GUI unless a license key has been added, so no native GUI logs were available to check for indicators,” the researchers said. “However, exploitation of the issue was observable in filesystem logs located at /bsc/logs/output.master. Specifically, you could check for the line Running configApplianceXml as long as the attacker has not cleared out this log file.”

Fortinet advises users to upgrade to FortiNAC version 9.2.6 or above, 9.1.8 or above and 7.2.0 or above, depending on which supported release they use.

Active attacks using the FortiNAC vulnerability

CronUp reported seeing attacks that exploit the FortiNAC vulnerability hitting its honeypot systems. First they saw attempts that created reverse shells like in Horizon3’s proof-of-concept.

Then attackers switched to deploying webshells — web-based backdoor scripts that allow remote execution of commands. Two webshells observed in exploitation attempts so far were deployed under bsc/campusMgr/ui/ROOT/fortii.jsp and bsc/campusMgr/ui/ROOT/shell.jsp. GreyNoise, a service that tracks malicious traffic on the internet, added the ability to detect attacks that target this vulnerability and has started seeing exploitation attempts.

Attackers have targeted other Fortinet security appliances in the past, which suggests there’s an interest in such vulnerabilities. In January, Fortinet warned users that attackers were exploiting a critical vulnerability in FortiOS SSL-VPN that was patched in December to deploy a sophisticated Linux implant.