Fortinet has released security updates for FortiWeb, FortiNAC, FortiOS, and other products, addressing 40 vulnerabilities in its software lineup.
Fortinet has released security updates for FortiWeb, FortiNAC, FortiOS, and other products, addressing 40 vulnerabilities in its software lineup.
Among the 40 flaws, two are critical severity vulnerabilities that allow unauthenticated attackers to perform arbitrary code or command execution. Fifteen are high, 22 are medium, and one is rated low in severity.
The First flaw, impacting the FortiNAC network access control solution, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8. FortiNAC helps organisations gain real-time network visibility, detect and enforce security policies, and mitigate threats.
The CVE-2022-39952 vulnerability is fixed in FortiNAC versions 9.4.1, 9.2.6, 9.1.8 and 7.2.0.
The Products impacted by this flaw are:
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 through 9.2.5
- FortiNAC version 9.1.0 through 9.1.7
- FortiNAC 8.8, all versions
- FortiNAC 8.7, all versions
- FortiNAC 8.6, all versions
- FortiNAC 8.5, all versions
- FortiNAC 8.3, all versions
The Second flaw that impacts the FortiWeb is tracked as CVE-2021-42756 and has a CVSS v3 score of 9.3. The Multiple stack-based buffer overflow vulnurabilities[CWE-121] in FortiWeb's proxy daemon may allow unauthenticated, remote attackers to achieve arbitrary code execution via crafted HTTP requests.
FortiWeb is a web application firewall (WAF) solution to protect web apps and API from XSS, SQL injection, DDoS and other online threats.
CVE-2021-42756 affects the below version of FortiWeb:
- FortiWeb versions 5.x all versions
- FortiWeb versions 6.0.7 and below
- FortiWeb versions 6.1.2 and below
- FortiWeb versions 6.2.6 and below
- FortiWeb versions 6.3.16 and below
- FortiWeb versions 6.4, all versions
To address the flaw, admins should upgrade to FortiWeb 7.0.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later, and 6.0.8 or later.
CVE-2021-42756 also appears to have been identified in 2021 but has been publicly disclosed now. Vendors haven't provided mitigation advice for the flaws, so applying the available security updates is the only way to address the risks.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?