Fortinet has issued updates to rectify a significant security vulnerability in its FortiNAC network access control solution, which could result in the execution of arbitrary code. This flaw, identified as CVE-2023-33299, has been given a severity rating of 9.6 out of 10 according to the CVSS scoring system. It is characterized as a Java untrusted object deserialization issue. "A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service," as stated by Fortinet in an advisory published recently.
The vulnerability affects the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later. Fortinet has also addressed a medium-severity vulnerability, identified as CVE-2023-33300 (CVSS score: 4.8), an issue of improper access control affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1. It has been rectified in FortiNAC versions 7.2.2 and 9.4.4. Florian Hauser of the German cybersecurity firm CODE WHITE is credited with discovering and reporting these two bugs.
This alert comes after the active exploitation of another critical vulnerability affecting FortiOS and FortiProxy (CVE-2023-27997, CVSS score: 9.2) that could enable a remote attacker to execute arbitrary code or commands via specifically crafted requests. Earlier this month, Fortinet acknowledged that this issue may have been used in limited attacks targeting government, manufacturing, and critical infrastructure sectors, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog.
This news follows more than four months after Fortinet addressed a severe bug in FortiNAC (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution. This flaw was actively exploited shortly after a proof-of-concept (PoC) was made available.
In related news, Grafana has issued patches for a critical security vulnerability (CVE-2023-3128) that could allow malicious attackers to bypass authentication and take over any account that uses Azure Active Directory for authentication. Grafana stated, "If exploited, the attacker can gain complete control of a user's account, including access to private customer data and sensitive information."