Fortinet has issued a recommendation for a a critical security flaw is now fixed which affect the Wireless LAN Manager (FortiWLM) which could lead to disclosure of sensitive information.
The vulnerability, tracked as CVE-2023-34990, has a CVSS score of 9.6 out of a maximum of 10.0.
“Passing a relative path (CWE-23) in FortiWLM could allow a remote, unauthenticated attacker to read sensitive files,” the company said in a statement. said in a warning issued Wednesday.
However, according to A description security flaw in NIST’s National Vulnerability Database (NVD), the path traversal vulnerability could also be used by an attacker to “execute unauthorized code or commands via specially crafted web requests.”
The flaw affects the following product versions –
- FortiWLM versions 8.6.0 to 8.6.5 (fixed in 8.6.6 or higher)
- FortiWLM versions 8.5.0 – 8.5.4 (fixed in 8.5.5 or higher)
The company credited Horizon3.ai security researcher Zach Hanley for discovering and reporting the flaw. It’s worth mentioning here that CVE-2023-34990 refers to the “Unauthenticated Restricted File Read Vulnerability” by the cybersecurity company revealed in March as part of a broader set of six vulnerabilities in FortiWLM.
“This vulnerability allows a remote, unauthenticated attacker to access and abuse built-in functionality designed to read certain log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint,” Hanley said. said at that time.
“This issue occurs due to a lack of validation of the request’s input parameters, which allows an attacker to browse directories and read any log file on the system.”
Successful exploitation of CVE-2023-34990 could allow a threat actor to read FortiWLM log files and obtain the user’s session ID and login, allowing them to also exploit authenticated endpoints.
Even worse, attackers can take advantage of the fact that web session IDs are static between user sessions to hijack them and gain administrative permissions to the device.
That’s not all. An attacker could also combine CVE-2023-34990 with CVE-2023-48782 (CVSS Score: 8.8), an authenticated command injection bug that was also fixed in FortiWLM 8.6.6 to allow remote code execution in the root context.
Fortinet has also patched a high-severity operating system command injection vulnerability in FortiManager that could allow an authenticated remote attacker to execute unauthorized code via FGFM-crafted requests.
Vulnerability (CVE-2024-48889CVSS score: 7.2) was considered in the following versions –
- FortiManager 7.6.0 (patched to 7.6.1 or higher)
- FortiManager versions 7.4.0 – 7.4.4 (fixed in 7.4.5 or higher)
- FortiManager Cloud versions 7.4.1 – 7.4.4 (fixed in 7.4.5 or higher)
- FortiManager versions 7.2.3 – 7.2.7 (fixed in 7.2.8 or higher)
- FortiManager Cloud versions 7.2.1 – 7.2.7 (fixed in 7.2.8 or higher)
- FortiManager versions 7.0.5 – 7.0.12 (fixed in 7.0.13 or higher)
- FortiManager Cloud versions 7.0.1 – 7.0.12 (fixed in 7.0.13 or higher)
- FortiManager versions 6.4.10 – 6.4.14 (fixed in 6.4.15 or higher)
Fortinet also noted that a number of older models, 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E, are affected by CVE-2024-48889 enable “fmg-status”.
When Fortinet devices become an attack magnet for threat actorsit is very important that users keep their instances updated to protect themselves from potential threats.
