{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2023-042.pdf" }, "title": "RCE vulnerability in Fortinet FortiNAC", "serial_number": "2023-042", "publish_date": "26-06-2023 10:26:42", "description": "On June 23, 2023, Fortinet released one advisory regarding a critical vulnerability in FortiNAC that may allow unauthenticated attackers to perform remote arbitrary code or command execution. This vulnerability was identified as \"CVE-2023-33299\" with CVSS score of 9.6. FortiNAC is a network access control solution utilised by organisations to manage network access policies and compliance.
\nDue to the level of access and control on the network we recommend to update as soon as possible.
\n", "url_title": "2023-042", "content_markdown": "--- \ntitle: 'RCE vulnerability in Fortinet FortiNAC'\nversion: '1.0'\nnumber: '2023-042'\noriginal_date: 'June 23, 2023'\ndate: 'June 26, 2023'\n---\n\n_History:_\n\n* _26/06/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn June 23, 2023, Fortinet released one advisory regarding a critical vulnerability in FortiNAC that may allow unauthenticated attackers to perform remote arbitrary code or command execution [1]. This vulnerability was identified as `CVE-2023-33299` with CVSS score of 9.6. FortiNAC is a network access control solution utilised by organisations to manage network access policies and compliance.\n\nDue to the level of access and control on the network we recommend to update as soon as possible.\n\n# Technical Details\n\nThis vulnerability is the result of the deserialisation of untrusted data. An unauthenticated user can insert a modified serialised object into the system via specifically crafted requests to the tcp/1050 service, which leads to unauthenticated RCE. \n\n# Affected Products\n\n- Version 9.4.0 through 9.4.2\n- Version 9.2.0 through 9.2.7\n- Version 9.1.0 through 9.1.9\n- Version 7.2.0 through 7.2.1\n- 8.8 all versions\n- 8.7 all versions\n- 8.6 all versions\n- 8.5 all versions\n- 8.3 all versions\n\n# Recommendations\n\nUpgrade FortiNAC products to:\n\n- Version 9.4.3 or above\n- Version 9.2.8 or above\n- Version 9.1.10 or above\n- Version 7.2.2 or above\n\n# References\n\n[1] \n\n", "content_html": "

History:

Summary

On June 23, 2023, Fortinet released one advisory regarding a critical vulnerability in FortiNAC that may allow unauthenticated attackers to perform remote arbitrary code or command execution [1]. This vulnerability was identified as CVE-2023-33299 with CVSS score of 9.6. FortiNAC is a network access control solution utilised by organisations to manage network access policies and compliance.

Due to the level of access and control on the network we recommend to update as soon as possible.

Technical Details

This vulnerability is the result of the deserialisation of untrusted data. An unauthenticated user can insert a modified serialised object into the system via specifically crafted requests to the tcp/1050 service, which leads to unauthenticated RCE.

Affected Products

Recommendations

Upgrade FortiNAC products to:

References

[1] https://www.fortiguard.com/psirt/FG-IR-23-074

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }