PoC exploit, IoCs for Fortinet FortiNAC RCE released (CVE-2022-39952)
“Similar to the weaponization of previous archive vulnerability issues that allow arbitrary file write, we use this vulnerability to write a cron job to /etc/cron.d/payload. This cron job gets triggered every minute and initiates a reverse shell to the attacker,” shared Zach Hanley, Chief Attack Engineer at Horizon3.ai.
“We first create a zip that contains a file and specify the path we want it extracted. Then, we send the malicious zip file to the vulnerable endpoint in the key field. Within a minute, we get a reverse shell as the root user.”
No exploitation attempts detected so far
Hanley explained the nature of the flaw and shared indicators of compromise: the line Running configApplianceXml in the filesystem logs located at /bsc/logs/output.master. But, he notes, it’s possible defenders won’t find it if attackers make sure to scrub the log file.
“Arbitrary file write vulnerabilities can be abused in several ways to obtain remote code execution. In this case, we write a cron job to /etc/cron.d/, but attackers could also overwrite and binary on the system that is regularly executed or SSH keys to a user profile,” he added.
Simultaneously, Greynoise has set up a tag to record CVE-2022-39952 exploitation attempts and, so far, there haven’t detected any.
Enterprise admins who have missed the initial Fortinet alert are advised to update their FortiNAC device(s) to version 9.4.1 or above, 9.2.6 or above, 9.1.8 or above, and 7.2.0 or above as soon as possible, because there are no available workarounds.
UPDATE (February 22, 2023, 04:55 a.m. ET):
Rapid7 threat analyst Christiaan Beek has noted that Horizon3ai’s PoC exploit has been tested and works against vulnerable devices, and that ShadowServer’s honeypots has already reported scanning activity.