Recently, a critical Remote Code Execution (RCE) vulnerability (CVE-2022-39952) was discovered in Fortinet’s FortiNAC product. This vulnerability could allow attackers to upload malicious payloads to the server, leading to a complete compromise of the affected system.
In this blog post, we will discuss the details of the CVE-2022-39952 vulnerability, the Fortinet FortiNAC product, and the vulnerable code that led to this RCE:
About the CVE-2022-39952
The vulnerability is classified as a remote code execution (RCE) vulnerability with a CVSS score of 9.8, which is considered critical.
This means that it has the potential to be exploited by attackers to gain complete control over an affected system.
The vulnerability is caused by a lack of authentication and validation in the ‘/configWizard/keyUpload.jsp‘ endpoint, which allows attackers to upload and execute malicious payloads.
What is Fortinet FortiNAC product?
Fortinet FortiNAC is a network access control solution that provides real-time visibility and control of IoT devices and endpoints accessing the network. The product allows organizations to control and manage access to the network, ensure compliance with security policies, and detect and respond to security threats.
Identifying the vulnerability leading to Fortinet FortiNAC RCE
The vulnerability in FortiNAC is caused by a flaw in the keyUpload.jsp file is an unauthenticated endpoint that handles requests for uploading a file. The code in keyUpload.jsp uses the Apache Commons FileUpload library to parse incoming requests and write the contents of the “key” parameter to a file on the server.
The vulnerable code in keyUpload.jsp is as follows:
The keyUpload.jsp file contains a Java Server Page (JSP) responsible for handling file uploads to the FortiNAC configuration wizard. This JSP file allows users to upload an appliance key file, which is then processed by the FortiNAC system to enable the device.
The vulnerable code is located within a try-catch block that attempts to process the uploaded file. Specifically, the code parses the uploaded file using the Apache Commons FileUpload library and writes the contents of the file to the ‘/bsc/campusMgr/config/upload.applianceKey’ file on the server.
However, the vulnerability lies in the code not properly validating the uploaded file’s contents. This means an attacker can craft a malicious file containing a specially crafted payload and upload it to the server via the keyUpload.jsp endpoint.
The server could then execute the malicious payload if the attacker can trigger the ‘configApplianceXml’ command. This can be achieved through various means, such as exploiting other vulnerabilities in the FortiNAC system or tricking an administrator into running a specific command.
In this case, the attacker used a cron job payload to trigger the ‘configApplianceXml’ command at a later time. This allowed the attacker to gain remote code execution (RCE) on the target system and potentially compromise sensitive data.
To summarize, the vulnerability in the keyUpload.jsp file allows an attacker to upload a malicious file containing a payload that can be executed on the server.
The payload is activated when the ‘configApplianceXml‘ command is executed, which can be triggered through multiple methods. A successful exploitation of this vulnerability can lead to a Remote Code Execution (RCE) on the target system, potentially causing data breaches and other malicious activities.
Affected versions of the vulnerability
The products impacted by this flaw are:
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 through 9.2.5
- FortiNAC version 9.1.0 through 9.1.7
- FortiNAC 8.8 all versions
- FortiNAC 8.7 all versions
- FortiNAC 8.6 all versions
- FortiNAC 8.5 all versions
- FortiNAC 8.3 all versions
The CVE-2022-39952 vulnerability is fixed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and 7.2.0 and later.
How to fix the CVE-2022-39952?
To fix the CVE-2022-39952, Fortinet has released a patch for the FortiNAC product. It is strongly recommended that users of the affected product apply the patch as soon as possible to avoid exploitation of this vulnerability.
Additionally, Fortinet recommends that users ensure their systems are configured only to allow access to the keyUpload.jsp file by authorized users and monitor network traffic for any suspicious activity.