April 24, 2024

Feb 19, 2023Ravie LakshmananCommunity Safety / Firewall


Fortinet has launched safety updates to address 40 vulnerabilities in its software program lineup, together with FortiWeb, FortiOS, FortiNAC, and FortiProxy, amongst others.

Two of the 40 flaws are rated Essential, 15 are rated Excessive, 22 are rated Medium, and one is rated Low in severity.

High of the listing is a extreme bug residing within the FortiNAC community entry management answer (CVE-2022-39952, CVSS rating: 9.8) that might result in arbitrary code execution.

“An exterior management of file identify or path vulnerability [CWE-73] in FortiNAC internet server could enable an unauthenticated attacker to carry out arbitrary write on the system,” Fortinet said in an advisory earlier this week.

The merchandise impacted by the vulnerability are as follows –

  • FortiNAC model 9.4.0
  • FortiNAC model 9.2.0 by way of 9.2.5
  • FortiNAC model 9.1.0 by way of 9.1.7
  • FortiNAC 8.8 all variations
  • FortiNAC 8.7 all variations
  • FortiNAC 8.6 all variations
  • FortiNAC 8.5 all variations, and
  • FortiNAC 8.3 all variations

Patches have been launched in FortiNAC variations 7.2.0, 9.1.8, 9.1.8, and 9.1.8. Penetration testing agency Horizon3.ai said it plans to launch a proof-of-concept (PoC) code for the flaw “quickly,” making it crucial that customers transfer rapidly to use the updates.

The second flaw of observe is a set of stack-based buffer overflow in FortiWeb’s proxy daemon (CVE-2021-42756, CVSS rating: 9.3) that might allow an unauthenticated distant attacker to realize arbitrary code execution by way of particularly crafted HTTP requests.

CVE-2021-42756 impacts the beneath variations of FortiWeb, with fixes accessible in variations FortiWeb 6.0.8, 6.1.3, 6.2.7, 6.3.17, and seven.0.0 –

  • FortiWeb variations 6.4 all variations
  • FortiWeb variations 6.3.16 and beneath
  • FortiWeb variations 6.2.6 and beneath
  • FortiWeb variations 6.1.2 and beneath
  • FortiWeb variations 6.0.7 and beneath, and
  • FortiWeb variations 5.x all variations

Each the issues have been internally found and reported by its product safety workforce, Fortinet mentioned. Curiously, CVE-2021-42756 additionally seems to have been recognized in 2021 however not publicly disclosed till now.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.