CVE-2023-22633: 
FortiNAC vulnerability analysis and mitigation

An improper permissions, privileges, and access controls vulnerability (CWE-264) was discovered in FortiNAC, identified as CVE-2023-22633. The vulnerability affects multiple versions of FortiNAC including FortiNAC-F version 7.2.0, FortiNAC versions 9.4.0-9.4.1, 9.2.0-9.2.6, 9.1.0-9.1.8, and all versions of FortiNAC 8.8.0 and 8.7.0. The vulnerability was initially published on June 12, 2023, and was reported by KPN under responsible disclosure (Fortiguard PSIRT).

The vulnerability is classified as an improper permissions, privileges, and access controls issue that allows client-secure renegotiation attacks. It has been assigned a High severity rating with a CVSSv3 score of 7.5, indicating significant potential impact. The vulnerability specifically relates to the SSL renegotiation mechanism in FortiNAC (Fortiguard PSIRT, NVD).

The primary impact of this vulnerability is the potential for Denial of Service (DoS) attacks. An unauthenticated attacker can exploit this vulnerability to perform a DoS attack on the affected device through client-secure renegotiation, potentially disrupting network access control services (Fortiguard PSIRT).

Fortinet has released patches to address this vulnerability. Organizations are advised to upgrade to the following versions: FortiNAC-F version 7.2.1 or above, FortiNAC version 9.4.2 or above, FortiNAC version 9.2.7 or above, or FortiNAC version 9.1.9 or above (Fortiguard PSIRT).