Categories: TheHackerNews

Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits


Dec 19, 2024Ravie LakshmananVulnerability / Network Security

Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information.

The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0.

“A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files,” the company said in an alert released Wednesday.

However, according to a description of the security flaw in the NIST’s National Vulnerability Database (NVD), the path traversal vulnerability could also be exploited by an attacker to “execute unauthorized code or commands via specially crafted web requests.”

The flaw impacts the following versions of the product –

  • FortiWLM versions 8.6.0 through 8.6.5 (Fixed in 8.6.6 or above)
  • FortiWLM versions 8.5.0 through 8.5.4 (Fixed in 8.5.5 or above)

The company credited Horizon3.ai security researcher Zach Hanley for discovering and reporting the shortcoming. It’s worth mentioning here that CVE-2023-34990 refers to the “unauthenticated limited file read vulnerability” the cybersecurity company revealed back in March as part of a broader set of six flaws in FortiWLM.

“This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint,” Hanley said at the time.

“This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system.”

A successful exploitation of CVE-2023-34990 could allow the threat actor to read FortiWLM log files and get hold of the session ID of a user and login, thereby allowing them to exploit authenticated endpoints as well.

To make matters worse, the attackers could take advantage of the fact that the web session IDs are static between user sessions to hijack them and gain administrative permissions to the appliance.

That’s not all. An attacker could also combine CVE-2023-34990 with CVE-2023-48782 (CVSS score: 8.8), an authenticated command injection flaw that has also been fixed in FortiWLM 8.6.6, to obtain remote code execution in the context of root.

Also patched by Fortinet is a high-severity operating system command injection vulnerability in FortiManager that may allow an authenticated remote attacker to execute unauthorized code via FGFM-crafted requests.

The vulnerability (CVE-2024-48889, CVSS score: 7.2) has been addressed in the below versions –

  • FortiManager 7.6.0 (Fixed in 7.6.1 or above)
  • FortiManager versions 7.4.0 through 7.4.4 (Fixed in 7.4.5 or above)
  • FortiManager Cloud versions 7.4.1 through 7.4.4 (Fixed in 7.4.5 or above)
  • FortiManager versions 7.2.3 through 7.2.7 (Fixed in 7.2.8 or above)
  • FortiManager Cloud versions 7.2.1 through 7.2.7 (Fixed in 7.2.8 or above)
  • FortiManager versions 7.0.5 through 7.0.12 (Fixed in 7.0.13 or above)
  • FortiManager Cloud versions 7.0.1 through 7.0.12 (Fixed in 7.0.13 or above)
  • FortiManager versions 6.4.10 through 6.4.14 (Fixed in 6.4.15 or above)

Fortinet also noted that a number of older models, 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E, are affected by CVE-2024-48889 provided the “fmg-status” is enabled.

With Fortinet devices becoming an attack magnet for threat actors, it’s essential that users keep their instances up-to-date to safeguard against potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



Source link

Cybernoz

Share
Published by
Cybernoz

Recent Posts

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More

2 minutes ago

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More

2 minutes ago

CCS cloud hosting deal with AWS under scrutiny as contract value soars by 89% after 15 months

The Crown Commercial Service’s (CCS) decision to increase its cloud hosting spend with Amazon Web… Read More

3 minutes ago

Hikvision Camera Driver Vulnerability Records Login details in Log files

A newly disclosed security vulnerability, tracked under CVE-2024-12569, has been identified in Hikvision camera drivers… Read More

26 minutes ago

Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email containing… Read More

35 minutes ago

AWS offers Hackney Council ‘minimum 22%’ discount on cloud services through OGVA 2.0

Hackney Council has committed to growing its annual usage of Amazon Web Services’ (AWS) cloud… Read More

46 minutes ago