Home Security New Fortinet’s FortiNAC Vulnerability Exposes Networks to Code Execution Assaults

New Fortinet’s FortiNAC Vulnerability Exposes Networks to Code Execution Assaults

by crpt os


Jun 27, 2023Ravie LakshmananVulnerability / Exploit

Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code.

Tracked as CVE-2023-33299, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization.

“A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service,” Fortinet said in an advisory published last week.

Cybersecurity

The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later –

  • FortiNAC version 9.4.0 through 9.4.2
  • FortiNAC version 9.2.0 through 9.2.7
  • FortiNAC version 9.1.0 through 9.1.9
  • FortiNAC version 7.2.0 through 7.2.1
  • FortiNAC 8.8 all versions
  • FortiNAC 8.7 all versions
  • FortiNAC 8.6 all versions
  • FortiNAC 8.5 all versions, and
  • FortiNAC 8.3 all versions

Also resolved by Fortinet is a medium-severity vulnerability tracked as CVE-2023-33300 (CVSS score: 4.8), an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1. It has been fixed in FortiNAC versions 7.2.2 and 9.4.4.

Florian Hauser from German cybersecurity firm CODE WHITE has been credited with discovering and reporting the two bugs.

The alert follows the active exploitation of another critical vulnerability affecting FortiOS and FortiProxy (CVE-2023-27997, CVSS score: 9.2) that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Fortinet, earlier this month, acknowledged that the issue may have been abused in limited attacks targeting government, manufacturing, and critical infrastructure sectors, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog.

Cybersecurity

It also comes more than four months after Fortinet addressed a severe bug in FortiNAC (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution. The flaw has since come under active exploitation shortly after a proof-of-concept (PoC) was made available.

In a related development, Grafana has released patches for a critical security vulnerability (CVE-2023-3128) that could permit malicious attackers to bypass authentication and take over any account that uses Azure Active Directory for authentication.

“If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information,” Grafana said. “If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex