- A Fortinet flaw, fixed in September 2023, has just been pointed out in a security bulletin
- The bug was first discovered in May 2023 and allows criminals to take over vulnerable endpoints.
- Users are recommended to apply the patch immediately.
Fifteen months after the first patch, Fortinet released a security bulletin to highlight a critical flaw affecting its Fortinet Wireless Manager (FortiWLM) product.
The glitch can be used to control devices remotely, so if you are using an older version, be sure to update it immediately.
FortiWLM is a centralized platform for managing, monitoring and optimizing Fortinet wireless access points and controllers, enabling secure and scalable wireless network deployments. It is usually used by large companies and government agencies.
Corrected in September
In May 2023, Horizon3 security researcher Zach Hanley discovered a relative path traversal flaw affecting the product. It is tracked as CVE-2023-34990 and was assigned a severity score of 9.8/10 (critical). The error is due to improper input validation, which allows attackers to read sensitive system log files. Since these log files often contain administrator session IDs, they can be abused to grant attackers remote access to the vulnerable endpoint.
“By abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing him to read any log file on the system,” Hanley said at the time.
“Fortunately for an attacker, FortiWLM has very detailed logs and records the session ID of all authenticated users. By abusing reading the arbitrary log file above, an attacker can now obtain the session ID of a user and log in and also abuse authenticated endpoints.”
The flaw affects FortiWLM versions 8.6.0 to 8.6.5 and 8.5.0 to 8.5.4.
However, despite discovering the bug and reporting it to Fortinet, the company did not address it publicly, leading Hanley to reveal its findings and release a proof of concept (PoC) in March 2023. Earlier this week, Fortinet published a new security bulletin, stating that the bug was fixed in September of last year.
That means the bug remained zero-day for about four months and remained completely out of user sight for 15 months.
Through beepcomputer
