Fortinet Fixes Critical RCE Vulnerability in Wireless LAN Manager
December 19, 2024
Fortinet has recently addressed a critical security flaw (CVE-2023-34990) in its Wireless LAN Manager (FortiWLM). This vulnerability, when combined with another previously patched issue (CVE-2023-48782), could potentially enable unauthenticated remote code execution (RCE), thereby posing a significant security risk.
The vulnerability (CVE-2023-34990, CVSS 9.6) was initially reported in March as an 'unauthenticated limited file read vulnerability' without a CVE. Zach Hanley, a security researcher at Horizon3.ai, initially reported the bug to Fortinet. He stated, 'This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system.' He further confirmed that the bug patched this week is the same issue.
Hanley noted that FortiWLM has very detailed logs and logs the session ID of all authenticated users. By exploiting the arbitrary log file read, an attacker could potentially obtain the session ID of a user and login, and also abuse authenticated endpoints. The National Vulnerability Database (NVD) has highlighted that the flaw can also be exploited to 'execute unauthorized code or commands via specially crafted Web requests' due to the access it provides to authenticated endpoints.
The security flaw impacts FortiWLM versions 8.6.0 through 8.6.5 (fixed in 8.6.6 or above) and versions 8.5.0 through 8.5.4 (fixed in 8.5.5 or above). Hanley, back in March, also pointed out a possible exploit chain: When CVE-2023-34990 is combined with an authenticated command-injection bug (CVE-2023-48782, CVSS 8.8), it can lead to RCE. This second vulnerability allows an attacker who has exploited CVE-2023-34990 to gain access to an authenticated endpoint and inject a malicious string into a request. This string will then be executed with root privileges.
Hanley explained, 'Combining both the unauthenticated arbitrary log file read and this authenticated command injection, an unauthenticated attacker can obtain remote code execution in the context of root.' He added that this endpoint is accessible for both low privilege users and admins. Given Fortinet's status as a popular target for cyberattacks, administrators are urged to apply the patches for these vulnerabilities as soon as possible.
Related News
- Critical Vulnerability in FortiWLM Grants Hackers Administrative Control
- Critical Remote Code Execution Vulnerability in Fortinet Patched
Latest News
- Critical Vulnerability in FortiWLM Grants Hackers Administrative Control
- BeyondTrust Suffers Cyberattack: Remote Support SaaS Instances Breached
- Active Exploitation of Newly Patched Apache Struts Vulnerability
- The Mask APT Returns with Advanced Cross-Platform Malware Capabilities
- FBI Issues Warning About HiatusRAT Malware Attacks on Web Cameras and DVRs
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.