Fortinet on Thursday patched two critical bugs in its FortiNAC and FortiWeb products that if exploited could allow an unauthenticated attacker to execute unauthorized code or commands via a specifically crafted HTTP request.
While both were rated critical, the FortiNAC bug — CVE-2022-39952 — was rated at 9.8 and affected versions 9.4.0; 9.2.0 through 9.2.5; 9.1.0 through 9.1.7; 8.8.0 through 8.8.11; 8.7.0 through 8.7.6; 8.6.0 through 8.6.5; 8.5.0 through 8.5.4; and 8.3.7.
The FortiWeb bug — CVE-2021-42756 — was reported as a multiple stack-based buffer overflow vulnerabilty in the proxy daemon of FortiWeb 5.x all versions; 6.0.7 and below; 6.1.2 and below; 6.2.6 and below; 6.3.16 and below; and 6.4.
Fortinet encourages its users to do the upgrades as specified in its advisories for the FortiNAC and FortiWeb products.
Mike Parkin, senior technical engineer at Vulcan Cyber, said while there aren't a lot of details available on either of these issues beyond them being remote exploits, Fortinet did release updated versions that address the vulnerabilities.
“As always, especially with a security product, deploying using industry best practices and keeping up to date on patches are just the starting points,” said Parkin.
When asked about how the FortiWeb bug dates back to 2021, Parkin said he wish he knew the reason for the long time lag.
“We've all seen these long delays between a CVE reservation and an actual publication,” said Parkin. “It would be nice if there was more clarity about the delays when they happen.”
A Fortinet spokesperson said the FortiWeb bug was found internally and published in its February advisory as part of its product security incident response policies.