Overview
Fortinet has disclosed a critical security vulnerability in its Wireless LAN Manager (FortiWLM) software, which has since been patched. The flaw could potentially expose sensitive information to attackers. Designated as CVE-2023-34990, the vulnerability has a CVSS severity score of 9.6 out of 10.
“FortiWLM contains a relative path traversal vulnerability [CWE-23] that may enable a remote, unauthenticated attacker to access sensitive files,” Fortinet stated in an advisory released on Wednesday.
Additionally, the National Vulnerability Database (NVD) elaborates that this path traversal flaw could also allow attackers to “execute unauthorized code or commands” through specially crafted web requests.
Impacted Products
The recently disclosed CVE-2023-34990 vulnerability impacts several versions of Fortinet’s Wireless LAN Manager (FortiWLM):
- FortiWLM versions 8.6.0 through 8.6.5 (patched in 8.6.6 and later)
- FortiWLM versions 8.5.0 through 8.5.4 (patched in 8.5.5 and later)
Fortinet credited Zach Hanley, a security researcher at Horizon3.ai, for discovering and reporting this flaw. The vulnerability, initially revealed in March as part of a set of six security issues in FortiWLM, is classified as an “unauthenticated limited file read vulnerability.
Technical Details
The flaw, stemming from insufficient input validation, allows a remote, unauthenticated attacker to exploit the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint using a crafted request. This can bypass restrictions, enabling directory traversal and unauthorized access to log files.
Zach Hanley explained, “This vulnerability results from the lack of input validation on request parameters, allowing an attacker to traverse directories and read any log file on the system.
Exploitation Risks
A successful exploit of CVE-2023-34990 could allow an attacker to:
- Access FortiWLM log files: This could expose user session IDs.
- Hijack web sessions: Since session IDs remain static between user sessions, attackers can exploit them to gain administrative permissions on the appliance.
Furthermore, combining CVE-2023-34990 with CVE-2023-48782 (CVSS score: 8.8), an authenticated command injection vulnerability patched in FortiWLM 8.6.6, could enable remote code execution with root privileges.
Fortinet highlighted that several older hardware models are also vulnerable if the “fmg-status” is enabled. These include:
1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E.
Additional Vulnerability
Fortinet also patched a high-severity operating system command injection vulnerability in FortiManager. This flaw could allow an authenticated remote attacker to execute unauthorized code via FGFM-crafted requests.
Fixed Version
Fortinet has addressed the CVE-2024-48889 vulnerability, rated with a CVSS score of 7.2, in the following versions of FortiManager and FortiManager Cloud:
- FortiManager 7.6.0: Fixed in 7.6.1 or later
- FortiManager versions 7.4.0 through 7.4.4: Fixed in 7.4.5 or later
- FortiManager Cloud versions 7.4.1 through 7.4.4: Fixed in 7.4.5 or later
- FortiManager versions 7.2.3 through 7.2.7: Fixed in 7.2.8 or later
- FortiManager Cloud versions 7.2.1 through 7.2.7: Fixed in 7.2.8 or later
- FortiManager versions 7.0.5 through 7.0.12: Fixed in 7.0.13 or later
- FortiManager Cloud versions 7.0.1 through 7.0.12: Fixed in 7.0.13 or later
- FortiManager versions 6.4.10 through 6.4.14: Fixed in 6.4.15 or later
Administrators are urged to apply the recommended patches promptly to mitigate potential exploitation risks.