Skip to content

Fortinet FortiNAC - Unprotected MySQL root account (CVE-2022-26117)

High
orange-cert-cc published GHSA-r259-5p5p-2q47 Jul 6, 2022

Package

FortiNAC (Fortinet)

Affected versions

9.2.1.0415

Patched versions

9.2.4

Description

Overview

The MySQL database used for the FortiNAC has no password set and any local user can connect on the database and modify or corrupt it which can make the solution unstable.

Details

The MySQL database used for the FortiNAC has no password set and any local user can connect on the database and modify or corrupt it which can make the solution unstable.
It is also possible to retrieve some token inside some tables.
The database is luckily listenning on the localhost.

Proof of Concept

With a local unprivilieged user just execute the command mysql -u root and enjoy.

Affected versions

Security issue has been detected in v9.2.1.0415 but affects also:

  • FortiNAC version 8.3.7
  • FortiNAC version 8.5.0 - 8.5.2
  • FortiNAC version 8.5.4
  • FortiNAC version 8.6.0
  • FortiNAC version 8.6.2 - 8.6.5
  • FortiNAC version 8.7.0 - 8.7.6
  • FortiNAC version 8.8.0 - 8.8.11
  • FortiNAC version 9.1.0 - 9.1.5
  • FortiNAC version 9.2.0 - 9.2.3

Solution

Security patch

Upgrade to fixed FortiNAC version 9.1.6 or above, or 9.2.4 or above

References

https://nvd.nist.gov/vuln/detail/CVE-2022-26117
https://www.fortiguard.com/psirt/FG-IR-22-058

Credits

Orange CERT-CC
Valentin ALLAIRE at Orange group

Timeline

Date reported: March 11, 2022
Date fixed: July 6, 2022

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2022-26117

Weaknesses

No CWEs