Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code.
Tracked as CVE-2023-33299, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization.
“A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service,” Fortinet said in an advisory published last week.
The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later –
The alert follows the active exploitation of another critical vulnerability affecting FortiOS and FortiProxy (CVE-2023-27997, CVSS score: 9.2) that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
It also comes more than four months after Fortinet addressed a severe bug in FortiNAC (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution. The flaw has since come under active exploitation shortly after a proof-of-concept (PoC) was made available.
In a related development, Grafana has released patches for a critical security vulnerability (CVE-2023-3128) that could permit malicious attackers to bypass authentication and take over any account that uses Azure Active Directory for authentication.
“If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information,” Grafana said.
“If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information.”
Source: https://thehackernews.com/
