CVE-2022-39952: FortiNAC Remote Code Execution Exploit Explained

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On February 16, 2023, Fortinet released a security advisory on a critical vulnerability with a CVSS score of 9.8 (Critical), leading to remote code execution when exploited [1]. CVE-2022-39952 vulnerability affects a wide range of older versions of FortiNAC, and users are advised to update to the latest versions as soon as possible.

Picus Labs added simulations for CVE-2022-39952 vulnerability exploitation attacks to Picus Threat Library. In this blog, we explain the FortiNAC CVE-2022-39952 remote code execution vulnerability in detail.

Start Simulating CVE-2022-39952 Attacks with a 14-day free trial of the Picus Platform

What is CVE-2022-39952 Vulnerability?

Network Access Control (NAC) solutions provide visibility and access control to organizations for their growing number of devices and networks. FortiNAC is a NAC solution from the security vendor, Fortinet. 

In their security advisory, Fortinet published that they have found a vulnerability in the keyUpload scriptlet that allows unauthenticated users to upload arbitrary files to the system. Adversaries may abuse this vulnerability to create a cronjob or add an SSH key to vulnerable systems and gain remote access to them [2]. CVE-2022-39952 vulnerability has a CVSS score of 9.8 (Critical) and affects the FortiNAC versions given below.

Affected Product

Vulnerable Versions

Patched Versions

FortiNAC

version 9.4.0

version 9.2.0 through 9.2.5

version 9.1.0 through 9.1.7

version 8.8 - all versions

version 8.7 - all versions

version 8.6 - all versions

version 8.5 - all versions

version 8.3 - all versions

version 9.4.1 or above

version 9.2.6 or above

version 9.1.8 or above

version 7.2.0 or above

Exploiting FortiNAC CVE-2022-39952 Vulnerability

The vulnerability is caused by a file named "keyUpload.jsp" found in the vulnerable versions. The scriptlet has a feature that allows users to upload arbitrary files. The uploaded file is saved to "/bsc/campusMgr/config/upload.applianceKey". 

File uploadedFile = new File("/bsc/campusMgr/config/upload.applianceKey");

Example 1: Line 22 of the keyUpload.jsp file

Then, The keyUpload.jsp file runs a bash script with root privileges to unzip the uploaded file. 

Process prKey = rtKey.exec ("sudo /bsc/campusMgr/bin/configApplianceXml");

Example 2: Line 27 of the keyUpload.jsp file

The bash script can be manipulated to extract the uploaded zip file to any file location because the script calls the "cd /" command and makes "/" working directory.

#!/bin/sh

unalias cd 2> /dev/null
cd / 

VERSION='/bsc/campusMgr/bin/getPlatformVersion'
if [ "VERSION" == "0" ]
Then

echo "This script is not supported on this version of firmware"
exit;
fi

/usr/bin/unzip -o /bsc/campusMgr/config/upload.applianceKey

Example 3: Contents of configApplianceXml script

Since users can upload arbitrary files to unauthenticated endpoints, adversaries can craft and upload malicious zip files that can be utilized for remote code execution with root privileges in vulnerable systems. For example, threat actors may add a cronjob in "/etc/cron.d" to execute malicious commands periodically or add an SSH key to a user profile to gain remote access.

How Picus Helps Simulate FortiNAC CVE-2022-39952 Vulnerability Exploitation Attacks?

We also strongly suggest simulating FortiNAC CVE-2022-39952 Attacks to test the effectiveness of your security controls against vulnerability exploitation attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other vulnerabilities, such as Log4Shell, Follina, and ProxyNotShell, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for FortiNAC CVE-2022-39952 Attacks

Threat ID

Threat Name

Attack Module

59393

FortiNAC Web Attack Campaign

Web Application

Picus Threat Library also includes the following threats for other Fortinet vulnerabilities:

Threat ID

Action Name

Attack Module

85726

FortiOS Web Attack Campaign

Web Application

68019

Fortiweb Web Attack Campaign

Web Application

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address FortiNAC CVE-2022-39952 vulnerability exploitation attacks and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for FortiNAC CVE-2022-39952 vulnerability:

Security Control

Signature ID

Signature Name

Cisco Firepower NGFW

61392

SERVER-OTHER Fortinet Fortinac keyUpload.jsp remote code execution attempt

Citrix WAF

 

Blocked by 'HTML Command Injection' Security Check

ForcePoint NGFW

 

HTTP_CS-Fortinet-Fortinac-Arbitrary-File-Write-CVE-2022-39952

Fortigate IPS

12449

backdoor: Remote.CMD.Shell

Snort IPS

61392

SERVER-OTHER Fortinet Fortinac keyUpload.jsp remote code execution attempt

Snort IPS

2044270

ET EXPLOIT Fortinet FortiNAC - Observed POST .zip with Vulnerable Parameter (CVE-2022-39952)

Snort IPS

2019285

ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trialof Picus The Complete Security Validation Platform.

References

[1] "PSIRT Advisories," FortiGuard. [Online]. Available: https://fortiguard.com/psirt/FG-IR-22-300. [Accessed: Feb. 22, 2023]

[2] Z. Hanley, "Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs," Horizon3.ai, Feb. 21, 2023. [Online]. Available: https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/. [Accessed: Feb. 22, 2023]