On June 23, 2023, a vulnerability designated CVE-2023 – 33299 in Fortinet’s FortiNAC network access control solution was published by NIST. Fortiguard Labs (Fortinet) summarizes this as “a vulnerability that may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests.”
This post provides an overview of steps you can take to protect your organization and your third-party network. It also summarizes our investigation and mitigation efforts.
Severity and Impact
As Tenable explains, “A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the service running on TCP port 1050. Successful exploitation would give the attacker the ability to execute arbitrary code on the target device.”
CVE-2023 – 33299 has been assigned a base score of 9.8, or “Critical Severity,” which indicates if affects common configurations and has the potential to cause significant harm, compromise systems, or enable unauthorized access or control.
It is important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact to systems and remediate accordingly.
Step 1: Determine if you are at risk
The following FortiNAC products are impacted:
- FortiNAC version 9.4.0 through 9.4.2
- FortiNAC version 9.2.0 through 9.2.7
- FortiNAC version 9.1.0 through 9.1.9
- FortiNAC version 7.2.0 through 7.2.1
- FortiNAC 8.8, all versions
- FortiNAC 8.7, all versions
- FortiNAC 8.6, all versions
- FortiNAC 8.5, all versions
- FortiNAC 8.3, all versions
To assess whether your third parties are vulnerable, customers can access the FortiNAC Vulnerability Questionnaire in the Whistic Platform, located in our Questionnaire Standards Library. You can also quickly send a bulk request.
Step 2: Identify patch systems that are impacted
Update to the appropriate version for:
- FortiNAC version 9.4.3 or above
- FortiNAC version 9.2.8 or above
- FortiNAC version 9.1.10 or above
- FortiNAC version 7.2.2 or above
Does this affect Whistic?
As a result of our investigation, we have determined that this vulnerability does not directly impact Whistic.