Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information.
The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0. It was originally fixed by Fortinet back in September 2023, but without a CVE designation.
“A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files,” the company said in an alert released Wednesday.
However, according to a description of the security flaw in the NIST’s National Vulnerability Database (NVD), the path traversal vulnerability could also be exploited by an attacker to “execute unauthorized code or commands via specially crafted web requests.”
The flaw impacts the following versions of the product –
- FortiWLM versions 8.6.0 through 8.6.5 (Fixed in 8.6.6 or above)
- FortiWLM versions 8.5.0 through 8.5.4 (Fixed in 8.5.5 or above)
The company credited Horizon3.ai security researcher Zach Hanley for discovering and reporting the shortcoming. It’s worth mentioning here that CVE-2023-34990 refers to the “unauthenticated limited file read vulnerability” the cybersecurity company revealed back in March as part of a broader set of six flaws in FortiWLM.
“This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint,” Hanley said at the time.
“This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system.”
A successful exploitation of CVE-2023-34990 could allow the threat actor to read FortiWLM log files and get hold of the session ID of a user and login, thereby allowing them to exploit authenticated endpoints as well.
To make matters worse, the attackers could take advantage of the fact that the web session IDs are static between user sessions to hijack them and gain administrative permissions to the appliance.
That’s not all. An attacker could also combine CVE-2023-34990 with CVE-2023-48782 (CVSS score: 8.8), an authenticated command injection flaw that has also been fixed in FortiWLM 8.6.6, to obtain remote code execution in the context of root.
Separately patched by Fortinet is a high-severity operating system command injection vulnerability in FortiManager that may allow an authenticated remote attacker to execute unauthorized code via FGFM-crafted requests.
The vulnerability (CVE-2024-48889, CVSS score: 7.2) has been addressed in the below versions –
- FortiManager 7.6.0 (Fixed in 7.6.1 or above)
- FortiManager versions 7.4.0 through 7.4.4 (Fixed in 7.4.5 or above)
- FortiManager Cloud versions 7.4.1 through 7.4.4 (Fixed in 7.4.5 or above)
- FortiManager versions 7.2.3 through 7.2.7 (Fixed in 7.2.8 or above)
- FortiManager Cloud versions 7.2.1 through 7.2.7 (Fixed in 7.2.8 or above)
- FortiManager versions 7.0.5 through 7.0.12 (Fixed in 7.0.13 or above)
- FortiManager Cloud versions 7.0.1 through 7.0.12 (Fixed in 7.0.13 or above)
- FortiManager versions 6.4.10 through 6.4.14 (Fixed in 6.4.15 or above)
Fortinet also noted that a number of older models, 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E, are affected by CVE-2024-48889 provided the “fmg-status” is enabled.
With Fortinet devices becoming an attack magnet for threat actors, it’s essential that users keep their instances up-to-date to safeguard against potential threats.
