- Vulnerable U
- Posts
- Fortinet Patches FortiWLM Zero Day
Fortinet Patches FortiWLM Zero Day
The details of CVE-2023-34990 were disclosed in March
Newsroom
December 18, 2024
Fortinet has released a fix for a critical flaw in its FortiWLM wireless LAN manager product that can allow an unauthenticated attacker to read specific files on remote hosts. The bug can be combined with other known vulnerabilities in the product to gain remote code execution.
CVE: CVE-2023-34990
Why It Matters: Researcher Zach Hanley at Horizon3 discovered this vulnerability and reported it to Fortinet in May…of 2023. The bug was part of a disclosure of several vulnerabilities in the FortiWLM product, which Fortinet released fixes for over the course of several months last year. But this specific flaw was not addressed until today. In fact at the time of Horizon3’s analysis in March, it didn’t even have a CVE. Fortinet products are very popular targets for attackers, and the FortiWLM would be a key target, as it’s used to manage wireless networks in large deployments such as college campuses.
Key Details
CVE-2023-34990 affects versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 of the FortiWLM
The bug is a relative path traversal vulnerability and a remote unauthenticated attacker could exploit it to read specific log files. “This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint. This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system,” according to the Horizon3 advisory.
The details of the bug have been public since May, making it a high priority to patch
“Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system. Luckily for an attacker, the FortiWLM has very verbose logs – and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints,” Hanley’s analysis says.
What to Do Now: Upgrade to version 8.5.5 or 8.6.6 to address the flaw