Overview
The MySQL database used for the FortiNAC has no password set and any local user can connect on the database and modify or corrupt it which can make the solution unstable.
Details
The MySQL database used for the FortiNAC has no password set and any local user can connect on the database and modify or corrupt it which can make the solution unstable.
It is also possible to retrieve some token inside some tables.
The database is luckily listenning on the localhost.
Proof of Concept
With a local unprivilieged user just execute the command mysql -u root and enjoy.
Affected versions
Security issue has been detected in v9.2.1.0415 but affects also:
- FortiNAC version 8.3.7
- FortiNAC version 8.5.0 - 8.5.2
- FortiNAC version 8.5.4
- FortiNAC version 8.6.0
- FortiNAC version 8.6.2 - 8.6.5
- FortiNAC version 8.7.0 - 8.7.6
- FortiNAC version 8.8.0 - 8.8.11
- FortiNAC version 9.1.0 - 9.1.5
- FortiNAC version 9.2.0 - 9.2.3
Solution
Security patch
Upgrade to fixed FortiNAC version 9.1.6 or above, or 9.2.4 or above
References
https://nvd.nist.gov/vuln/detail/CVE-2022-26117
https://www.fortiguard.com/psirt/FG-IR-22-058
Credits
Orange CERT-CC
Valentin ALLAIRE at Orange group
Timeline
Date reported: March 11, 2022
Date fixed: July 6, 2022
Overview
The MySQL database used for the FortiNAC has no password set and any local user can connect on the database and modify or corrupt it which can make the solution unstable.
Details
The MySQL database used for the FortiNAC has no password set and any local user can connect on the database and modify or corrupt it which can make the solution unstable.
It is also possible to retrieve some token inside some tables.
The database is luckily listenning on the localhost.
Proof of Concept
With a local unprivilieged user just execute the command
mysql -u rootand enjoy.Affected versions
Security issue has been detected in v9.2.1.0415 but affects also:
Solution
Security patch
Upgrade to fixed FortiNAC version 9.1.6 or above, or 9.2.4 or above
References
https://nvd.nist.gov/vuln/detail/CVE-2022-26117
https://www.fortiguard.com/psirt/FG-IR-22-058
Credits
Orange CERT-CC
Valentin ALLAIRE at Orange group
Timeline
Date reported: March 11, 2022
Date fixed: July 6, 2022