CVE-2022-39952: 
FortiNAC vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-39952) was discovered in Fortinet FortiNAC that affects multiple versions including 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7. The vulnerability was internally discovered by Gwendal Guégniaud of Fortinet during a manual secure code audit and was disclosed on February 16, 2023. This external control of file name or path vulnerability allows an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests (NVD, Horizon3).

The vulnerability exists in the /bsc/campusMgr/ui/ROOT/configWizard/keyUpload.jsp endpoint, which processes requests containing a file in the key parameter. When exploited, the vulnerability allows writing arbitrary files to /bsc/campusMgr/config.applianceKey, followed by execution of a bash script at /bsc/campusMgr/bin/configApplianceXml. The script changes directory to root (/) and uses the unzip command on attacker-controlled input, enabling arbitrary file writes to any location on the system. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Horizon3, NVD).

The vulnerability allows an unauthenticated attacker to achieve remote code execution with root privileges on affected FortiNAC systems. This level of access enables complete system compromise, allowing attackers to execute arbitrary commands, write files to any location on the system, and potentially maintain persistent access through various methods such as cron jobs (Horizon3).

Fortinet strongly recommends that affected organizations immediately upgrade their FortiNAC installations to the latest version. It's worth noting that most FortiNAC deployments are typically in air-gapped environments not exposed to the internet, which may provide some natural mitigation against remote exploitation (Fortinet Blog).

Following the advisory publication, there were some inaccurate reports suggesting potential 'mass exploitation' of over 711,234 devices. Fortinet has clarified that these numbers are significantly inflated and do not reflect the actual number of vulnerable devices in production. Additionally, reported exploitation attempts from cloud honeypots may only indicate attempts to use the POC code against generic targets rather than confirmed FortiNAC compromises (Fortinet Blog).