Fortinet has disclosed a important vulnerability in Fortinet Wi-fi Supervisor (FortiWLM) that enables distant attackers to take over units by executing unauthorized code or instructions by specifically crafted net requests.
FortiWLM is a centralized administration software for monitoring, managing, and optimizing wi-fi networks. It is utilized by authorities companies, healthcare organizations, instructional establishments, and huge enterprises.
The flaw, tracked as CVE-2023-34990, is a relative path traversal flaw rated with a rating of 9.8.
Horizon3 researcher Zach Hanley found and disclosed the vulnerability to Fortinet in Could 2023. Nonetheless, the flaw remained unfixed ten months later, and Hanley determined to reveal info and a POC it on March 14, 2024 in a technical writeup about different Fortinet flaws he found.
Stealing Admin session IDs
The problem permits unauthenticated attackers to use improper enter validation within the ‘/ems/cgi-bin/ezrf_lighttpd.cgi’ endpoint.
By utilizing listing traversal methods within the ‘imagename’ parameter when the ‘op_type’ is about to ‘upgradelogs,’ attackers can learn delicate log information from the system.
These logs usually include administrator session IDs, which can be utilized to hijack admin periods and acquire privileged entry, permitting menace actors to take over units.
“Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system,” defined Hanley.
“Luckily for an attacker, the FortiWLM has very verbose logs – and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints.”
The flaw impacts FortiWLM variations 8.6.0 by 8.6.5 and eight.5.0 by 8.5.4.
Regardless of the researcher’s public warning, the shortage of a CVE ID (on the time) and a safety bulletin meant that customers had been unaware of the chance and wanted to improve to a secure model.
In line with the safety bulletin Fortinet revealed yesterday, on December 18, 2024, CVE-2023-34990 was fastened in FortiWLM variations 8.6.6 and eight.5.5, launched on the finish of September 2023.
CVE-2023-34990 was a zero-day vulnerability for roughly 4 months, with FortiWLM customers first studying about it 10 months after its discovery in Hanley’s writeup. Nonetheless, it took Fortinet a further 9 months to launch a public safety bulletin.
Given its deployment in important environments, FortiWLM could be a useful goal for attackers, as compromising it remotely may result in network-wide disruptions and delicate knowledge publicity.
Due to this fact, it’s strongly suggested that FortiWLM admins apply all accessible updates as they turn into accessible.
