Merge pull request #2545 from splunk/FortinetNAC

CVE-2022-39952
splunk · Feb 21, 2023 · aca80cb · aca80cb
2 parents 1200256 + b8d6009
commit aca80cb
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 0 deletions.
diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml
@@ -0,0 +1,67 @@
+name: Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
+id: 2038f5c6-5aba-4221-8ae2-ca76e2ca8b97
+version: 1
+date: '2023-02-21'
+author: Michael Haag, Splunk
+type: TTP
+datamodel:
+- Web
+description: The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2. 
+search: '| tstats count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Web where Web.url IN ("*configWizard/keyUpload.jsp*")  
+  by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
+  | `drop_dm_object_name("Web")`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`'
+how_to_implement: This detection requires the Web datamodel to be populated from a
+  supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
+known_false_positives: False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source).
+references:
+  - https://github.com/horizon3ai/CVE-2022-39952
+  - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
+  - https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30
+tags:
+  analytic_story:
+  - Fortinet FortiNAC CVE-2022-39952
+  asset_type: Network
+  cve:
+  - CVE-2022-39952
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 80
+  context:
+  - Scope:Inbound
+  - Scope:Network
+  dataset:
+  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log
+  impact: 80
+  kill_chain_phases:
+  - Exploitation
+  - Installation
+  message: Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.
+  mitre_attack_id:
+  - T1190
+  nist:
+  - DE.CM
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - Web.http_user_agent
+  - Web.http_method
+  - Web.url
+  - Web.url_length 
+  - Web.src
+  - Web.dest 
+  - sourcetype
+  risk_score: 64
+  security_domain: network
diff --git a/stories/fortinet_fortinac_cve_2022_39952.yml b/stories/fortinet_fortinac_cve_2022_39952.yml
@@ -0,0 +1,23 @@
+name: Fortinet FortiNAC CVE-2022-39952
+id: 2833a527-3b7f-41af-a950-39f7bbaff819
+version: 1
+date: '2023-02-21'
+author: Michael Haag, Splunk
+description: On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).
+narrative: This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). 
+  Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical).
+  FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats.
+  An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.
+references: 
+   - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
+   - https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30
+   - https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/
+tags:
+  analytic_story: Fortinet FortiNAC CVE-2022-39952
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
diff --git a/tests/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.test.yml b/tests/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.test.yml
@@ -0,0 +1,13 @@
+name: Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Unit Test
+tests:
+- name: Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
+  file: web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml
+  pass_condition: '| stats count | where count > 0'
+  earliest_time: -24h
+  latest_time: now
+  attack_data:
+  - file_name: web_fortinetnac.log
+    data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log
+    source: pan:threat
+    sourcetype: pan:threat
+    update_timestamp: true