Affected Platforms: FortiNAC
Impacted Users: Execute unauthorized code or commands
Impact: Remote Code Execution
Severity Level: Critical
Fortinet published a Critical Advisory (FG-IR-22-300 / CVE-2022-39952) for FortiNAC on February 16, 2023. This blog adds perspective to that Advisory, providing our customers with additional, accurate details to help them make informed, risk-based decisions.
The Fortinet Product Security Incident Response Team (PSIRT) works diligently to identify bugs before code ships. Even with processes in place that put security at the forefront of the product development lifecycle and a commitment to deliver on the highest security assurance standard, vulnerabilities occur.
Fortinet rigorously tests our product security in multiple ways – SAST (static application security testing), DAST (dynamic application security testing), SCA (software composition analysis), and penetration testing, for example – but one of the most productive methods by far has been Manual Secure Code Audits of our products. This is intensive and arduous work, but it has returned significant dividends, with over 80% of all vulnerabilities published in 2022 coming from internal discovery. The number is vital because it allows us to get ahead of cyber adversaries.
Importantly, it was during one of these internal audits that the Fortinet PSIRT team itself identified this Remote Code Execution vulnerability. We immediately remediated and published this finding as part of our February PSIRT advisory. (If you are not subscribed to our advisories, we highly recommend registering using one of the methods described here.) Fortinet PSIRT policy balances our culture of transparency with our commitment to the security of our customers. Every vulnerability that has been addressed is published in our advisories, based on our published Fortinet PSIRT Policy, and we actively work with our customers and industry partners on mitigation guidance and recommended next steps.
Timely and ongoing communications with our customers are vital in our efforts to best protect and secure their organizations. Shortly after the advisory was published, a third-party security organization released a working POC (proof of concept) for the vulnerability.
The information provided to Fortinet customers helps them make informed risk-based decisions. Ensuring that such information is accurate is an essential factor in that assessment. That said, the additional perspectives provided herein are not intended to diminish the severity of this issue.
Should customers immediately upgrade their FortiNAC? Yes, absolutely.
For additional information and guidance, please visit the Fortinet PSIRT Advisory. Customers can also reach out to Fortinet Support for more information.