Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Fortinet Patches Critical FortiWLM Vulnerability

Fortinet has released patches for a critical-severity path traversal vulnerability in FortiWLM that was reported last year.

Fortinet on Wednesday announced patches for a critical-severity vulnerability in Wireless Manager (FortiWLM) that could be exploited for arbitrary code execution.

An application suite for wireless device management, FortiWLM enables enterprises to monitor, operate, and administer wireless networks on Fortinet firewalls that are managed using FortiManager.

The critical security defect, tracked as CVE-2023-34990 (CVSS score of 9.6), is described as a “relative path traversal” issue that could be exploited remotely, without authentication, to read sensitive files.

The vulnerability impacts FortiWLM versions 8.6.0 through 8.6.5 and versions 8.5.0 through 8.5.4, and it could be exploited for code execution, a NIST advisory reads. FortiWLM versions 8.6.6 and 8.5.5 resolve the issue.

Fortinet’s advisory provides no additional information on the bug, but the company has credited security researcher Zach Hanley of Horizon3.ai for reporting it.

Given the flaw’s CVE identifier, it appears that Hanley reported the vulnerability last year, likely alongside multiple other issues in FortiWLM. Between October and December last year, Fortinet released patches for several of these bugs, including two critical- and two high-severity issues.

In a March 2024 blog post that was published 307 days after submitting the initial report to Fortinet, Hanley revealed that two unpatched defects could be chained together to fully compromise devices.

The first issue, a directory traversal flaw, allows attackers to send crafted requests to a specific endpoint and retrieve arbitrary log files containing administrator session ID tokens.

Advertisement. Scroll to continue reading.

Because the web session ID token of authenticated users remains static, an attacker could then use the token retrieved from log files to impersonate the administrator and access a vulnerable device with their permissions.

“An attacker that can obtain this token can abuse this behavior to hijack sessions and perform administrative actions. This session ID is retrievable with the unpatched limited log file read vulnerability above and can be used to gain administrative permissions to the appliance,” Hanley warned.

However, it is unclear whether CVE-2023-34990 is indeed the directory traversal vulnerability reported by Horizon3.ai and why Fortinet did not patch it last year, along with the other issues. SecurityWeek has emailed Fortinet for additional details on the matter.

“I believe the vulnerability released by Fortinet is the vulnerability described in the blog post from March. Specifically the one titled ‘CVE-2024-???? (0-day): Fortinet FortiWLM Unauthenticated Limited File Read Vulnerability’,” Hanley said, responding to a SecurityWeek inquiry.

“When fixing and patching the other reported vulnerabilities, they did not discuss with me why they did not assign a CVE for it or the other Static Session ID vulnerability. Also, when writing the blog, they restricted the availability of their software for researchers to inspect, so I am unable to confirm when or if it’s been patched,” he added.

On Wednesday, Fortinet also announced patches for a high-severity OS command injection bug in FortiManager that could allow remote, unauthenticated attackers to execute arbitrary code. Tracked as CVE-2024-48889, the flaw also affects old FortiAnalyzer models under certain conditions.

Fortinet makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s PSIRT advisories page.

*Updated with statement from Zach Hanley of Horizon3.ai.

Related: Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report

Related: Citrix, Fortinet Patch High-Severity Vulnerabilities

Related: Top Guns: Defending Corporate Clouds from Malicious Mavericks

Related: Offense Gets the Glory, but Defense Wins the Game

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.