Fortinet Patches Critical FortiWLM Vulnerability – Source: www.securityweek.com

Fortinet on Wednesday announced patches for a critical-severity vulnerability in Wireless Manager (FortiWLM) that could be exploited for arbitrary code execution.

An application suite for wireless device management, FortiWLM enables enterprises to monitor, operate, and administer wireless networks on Fortinet firewalls that are managed using FortiManager.

The critical security defect, tracked as CVE-2023-34990 (CVSS score of 9.6), is described as a “relative path traversal” issue that could be exploited remotely, without authentication, to read sensitive files.

The vulnerability impacts FortiWLM versions 8.6.0 through 8.6.5 and versions 8.5.0 through 8.5.4, and it could be exploited for code execution, a NIST advisory reads. FortiWLM versions 8.6.6 and 8.5.5 resolve the issue.

Fortinet’s advisory provides no additional information on the bug, but the company has credited security researcher Zach Hanley of Horizon3.ai for reporting it.

Given the flaw’s CVE identifier, it appears that Hanley reported the vulnerability last year, likely alongside multiple other issues in FortiWLM. Between October and December last year, Fortinet released patches for several of these bugs, including two critical- and two high-severity issues.

In a March 2024 blog post that was published 307 days after submitting the initial report to Fortinet, Hanley revealed that two unpatched defects could be chained together to fully compromise devices.

The first issue, a directory traversal flaw, allows attackers to send crafted requests to a specific endpoint and retrieve arbitrary log files containing administrator session ID tokens.

Because the web session ID token of authenticated users remains static, an attacker could then use the token retrieved from log files to impersonate the administrator and access a vulnerable device with their permissions.

“An attacker that can obtain this token can abuse this behavior to hijack sessions and perform administrative actions. This session ID is retrievable with the unpatched limited log file read vulnerability above and can be used to gain administrative permissions to the appliance,” Hanley warned.

However, it is unclear whether CVE-2023-34990 is indeed the directory traversal vulnerability reported by Horizon3.ai and why Fortinet did not patch it last year, along with the other issues. SecurityWeek has emailed both Fortinet and Horizon3.ai for additional details on the matter.

On Wednesday, Fortinet also announced patches for a high-severity OS command injection bug in FortiManager that could allow remote, unauthenticated attackers to execute arbitrary code. Tracked as CVE-2024-48889, the flaw also affects old FortiAnalyzer models under certain conditions.

Fortinet makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s PSIRT advisories page.

Related: Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report

Related: Citrix, Fortinet Patch High-Severity Vulnerabilities

Related: Top Guns: Defending Corporate Clouds from Malicious Mavericks

Related: Offense Gets the Glory, but Defense Wins the Game