CVE-2023-33299: Unauthenticated remote code execution vulnerability in FortiNAC

On June 19, 2023, Fortiguard published the information and updates to fix a critical vulnerability (CVE-2023-33299) in its FortiNAC software, which can allow an unauthorized access on affected systems through the deserialization of untrusted data in the network service on port 1050/TCP.

FortiNAC defines itself as a zero-trust access solution that oversees and protects all digital assets connected to the enterprise network. It can be provided as a hardware appliance or as a virtual machine. Between its use cases, this solution can:

• Perform inventory management, providing visibility over the assets connected to the network, classifying and monitoring them.
• Identifies security events and allows automations such as notifications to the admins or mitigation measures.
• Manage rule-based security policies to perform network segmentation.

The affected service, running on port 1050/TCP, uses the protocol CORBA (Common Object Request Broker Architecture) for accessing server objects and for interprocess communication between FortiNAC subsystems and servers.

The vulnerability abuses the CORBA protocol by injecting untrusted Java serialized data. In the deserialization process, this data is processed and ends up running code from the attacker.

Right now, there are no evidence that this service is being exploited in the wild. Nevertheless, Java deserialization vulnerabilities are not uncommon and an attacker with sufficient motivation could develop an exploit. That’s why it is very important to patch the software as soon as possible.

CVE-2023-33299 main characteristics

The following are the key characteristics of this vulnerability:

• CVE Identifier: CVE-2023-33299.
• Publication Date: 19/06/2023.
• Affected Software: FortiNAC.
• Affected Versions:
  • Versions 9.4.0 – 9.4.2, 9.2.0 – 9.2.7, 9.1.0 – 9.1.9, 7.2.0 – 7.2.1, all 8.3 and 8.X versions after 8.5.

CVE-2023-33299 mitigation

The vendor has released an official advisory recommending to upgrade the software to any of the supported versions:

• 9.4.4 or above.
• 9.2.8 or above.
• 9.1.10 or above.
• 7.2.2 or above.

Note that there is no upgrade available for 8.X versions, so it is recommended to upgrade any solution running that software to a supported major version.

Detection of the Vulnerability

No details have been released about the exploitation of this vulnerability. That’s why it is only possible to rely in the application self-reported version number to check if an instance is vulnerable.

As part of their emerging vulnerabilities service, Tarlogic Security proactively monitors their clients’ perimeter to promptly inform, detect, and notify the presence of this vulnerability, as well as other critical threats that could have a severe impact on asset security.

References:

• https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/95c4341b-200d-11e9-b6f6-f8bc1258b856/FortiNAC_Open_Ports.pdf
• https://www.fortinet.com/products/network-access-control
• https://socradar.io/what-do-you-need-to-know-about-cve-2023-33299-vulnerability-in-fortinac/
• https://www.tenable.com/blog/cve-2023-33299-critical-remote-code-execution-vulnerability-in-fortinac