Fortinet warned of a now-patched Wireless LAN Manager (FortiWLM) vulnerability, tracked as CVE-2023-34990 (CVSS score of 9.6), that could lead to admin access and sensitive information disclosure.
“A relative path traversal [CWE-23] in FortiWLM may allow a remote, unauthenticated attacker to read sensitive files.” reads the advisory published by the vendor.
Horizon3.ai security researcher Zach Hanley (@hacks_zach) reported this vulnerability to Fortinet.
The vulnerability impacts the following products:
Hanley explained that the vulnerability CVE-2023-34990 enables remote attackers to exploit log-reading functions via crafted requests to a specific endpoint.
“This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint. This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system.” reads the report published by Horizon3.ai. “Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system.”
The experts added that FortiWLM’s verbose logs expose session IDs, enabling attackers to exploit log file read vulnerabilities to hijack sessions and access authenticated endpoints.
Authenticated users’ session ID tokens in FortiWLM remain static per device boot. Attackers can exploit this via the log file read vulnerability to hijack sessions and gain admin access.
The researcher also noticed that the vulnerability CVE-2023-34990 can be chained with CVE-2023-48782 (CVSS score of 8.8) leading to remote arbitrary code execution in the context of root.
Threat actors frequently target Fortinet devices, making it crucial for customers to update their installations promptly.
“While we found it to be popular with State, Local, and Education (SLED) and healthcare focused customers, luckily the internet exposure is fairly limited to around 15 instances.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FortiWLM)