Fortinet Fixes Critical RCE Vulnerability in Wireless LAN Manager

December 19, 2024

Fortinet has recently addressed a critical security flaw (CVE-2023-34990) in its Wireless LAN Manager (FortiWLM). This vulnerability, when combined with another previously patched issue (CVE-2023-48782), could potentially enable unauthenticated remote code execution (RCE), thereby posing a significant security risk.

The vulnerability (CVE-2023-34990, CVSS 9.6) was initially reported in March as an 'unauthenticated limited file read vulnerability' without a CVE. Zach Hanley, a security researcher at Horizon3.ai, initially reported the bug to Fortinet. He stated, 'This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system.' He further confirmed that the bug patched this week is the same issue.

Hanley noted that FortiWLM has very detailed logs and logs the session ID of all authenticated users. By exploiting the arbitrary log file read, an attacker could potentially obtain the session ID of a user and login, and also abuse authenticated endpoints. The National Vulnerability Database (NVD) has highlighted that the flaw can also be exploited to 'execute unauthorized code or commands via specially crafted Web requests' due to the access it provides to authenticated endpoints.

The security flaw impacts FortiWLM versions 8.6.0 through 8.6.5 (fixed in 8.6.6 or above) and versions 8.5.0 through 8.5.4 (fixed in 8.5.5 or above). Hanley, back in March, also pointed out a possible exploit chain: When CVE-2023-34990 is combined with an authenticated command-injection bug (CVE-2023-48782, CVSS 8.8), it can lead to RCE. This second vulnerability allows an attacker who has exploited CVE-2023-34990 to gain access to an authenticated endpoint and inject a malicious string into a request. This string will then be executed with root privileges.

Hanley explained, 'Combining both the unauthenticated arbitrary log file read and this authenticated command injection, an unauthenticated attacker can obtain remote code execution in the context of root.' He added that this endpoint is accessible for both low privilege users and admins. Given Fortinet's status as a popular target for cyberattacks, administrators are urged to apply the patches for these vulnerabilities as soon as possible.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.