- A Fortinet flaw, fixed in September 2023, was just flagged in a security bulletin
- The bug was first discovered in May 2023r, and allows crooks to take over vulnerable endpoints
- Users are advised to apply the patch immediately
Fifteen months after first patching, Fortinet has released a security bulletin to flag a critical severity flaw plaguing its Fortinet Wireless Manager (FortiWLM) product.
The flaw can be used to take over the devices remotely, so if you’re using an older version, make sure to update it immediately.
FortiWLM is a centralized platform for managing, monitoring, and optimizing Fortinet wireless access points and controllers, enabling secure and scalable wireless network deployments. It is usually used by large enterprises and government agencies.
Fixed in September
In May 2023, security researcher from Horizon3, Zach Hanley, discovered a relative path traversal flaw affecting the product. It is tracked as CVE-2023-34990, and was given a severity score of 9.8/10 (critical). The bug stems from improper input validation, which allows attackers to read sensitive log files from the system. Since these log files often contain administrator session IDs they can be abused to grant the attackers remote access to the vulnerable endpoint.
“Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system,” Hanley said at the time.
“Luckily for an attacker, the FortiWLM has very verbose logs – and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints.”
The flaw affects FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4.
However, despite discovering the bug and reporting it to Fortinet, the company did not publicly address it, prompting Hanley to disclose his findings, and release a proof-of-concept (PoC), in March 2023. Earlier this week, Fortinet published a new security bulletin, in which it stated that the bug was fixed in September last year.
That means that the flaw remained a zero-day for roughly four months, and remained completely out of user sight for 15 months.
Via BleepingComputer
Leave a comment