Perspectives: FortiNAC and CVE-2022-39952

Affected Platforms: FortiNAC
Impacted Users: Execute unauthorized code or commands
Impact: Remote Code Execution
Severity Level: Critical

Fortinet published a Critical Advisory (FG-IR-22-300 / CVE-2022-39952) for FortiNAC on February 16, 2023. This blog adds perspective to that Advisory, providing our customers with additional, accurate details to help them make informed, risk-based decisions.

The Fortinet Product Security Incident Response Team (PSIRT) works diligently to identify bugs before code ships. Even with processes in place that put security at the forefront of the product development lifecycle and a commitment to deliver on the highest security assurance standard, vulnerabilities occur.

Fortinet rigorously tests our product security in multiple ways – SAST (static application security testing), DAST (dynamic application security testing), SCA (software composition analysis), and penetration testing, for example – but one of the most productive methods by far has been Manual Secure Code Audits of our products. This is intensive and arduous work, but it has returned significant dividends, with over 80% of all vulnerabilities published in 2022 coming from internal discovery. The number is vital because it allows us to get ahead of cyber adversaries.

Importantly, it was during one of these internal audits that the Fortinet PSIRT team itself identified this Remote Code Execution vulnerability. We immediately remediated and published this finding as part of our February PSIRT advisory. (If you are not subscribed to our advisories, we highly recommend registering using one of the methods described here.) Fortinet PSIRT policy balances our culture of transparency with our commitment to the security of our customers. Every vulnerability that has been addressed is published in our advisories, based on our published Fortinet PSIRT Policy, and we actively work with our customers and industry partners on mitigation guidance and recommended next steps.

Timely and ongoing communications with our customers are vital in our efforts to best protect and secure their organizations. Shortly after the advisory was published, a third-party security organization released a working POC (proof of concept) for the vulnerability.

Clarifications

• This is a critical issue, and FortiNAC customers running affected versions need to upgrade.
• The latest advisory included fixes for FortiNAC that stemmed from the Fortinet PSIRT team’s hard work.
• There have been sensationalized reports of a potential “mass exploitation” of 711,234 devices based on CVE-2022-39952. Those reports are inaccurate.
  • The fact is most organizations leverage FortiNAC in air-gapped environments that are not exposed to the internet. And while Fortinet has a vast cybersecurity portfolio and has shipped over 10M units, in reality, there aren’t 711,234 devices out there that are vulnerable. This is an understandable misunderstanding because we ship more security appliances than anyone, but the reports are false.
• Another consideration for reported “mass exploitation” numbers is that cloud honeypot activity only shows attackers attempting to compromise some sort of device (not necessarily FortiNAC devices) with the externally provided POC code. That is not the same thing.
• As with any news of this sort, inaccurate information has the ability to create confirmation bias in the search for and interpretation of information. Such bias gives more weight to certain information than the evidence warrants.

Conclusion

The information provided to Fortinet customers helps them make informed risk-based decisions. Ensuring that such information is accurate is an essential factor in that assessment. That said, the additional perspectives provided herein are not intended to diminish the severity of this issue.

Should customers immediately upgrade their FortiNAC? Yes, absolutely.

For additional information and guidance, please visit the Fortinet PSIRT Advisory. Customers can also reach out to Fortinet Support for more information.