_KonstantinNechaev-Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop "Fortinet tackles unpatched critical RCE vulnerability")
Fortinet has recently addressed a critical security vulnerability within its Wireless LAN Manager (FortiWLM) that had the potential to expose sensitive information without authentication. This flaw, when combined with another issue, had the capability to result in remote code execution (RCE), as highlighted by a researcher.
Initially disclosed in March, the bug (CVE-2023-34990, CVSS 9.6) was identified as an “unauthenticated limited file read vulnerability” without an assigned CVE. Zach Hanley, a security researcher from Horizon3.ai, who reported the bug to Fortinet, stated that the vulnerability was a result of inadequate input validation on request parameters, enabling an attacker to traverse directories and read any log file on the system. Hanley confirmed to Dark Reading that the bug patched by Fortinet recently is the same issue he identified in March.
The verbose logging mechanism of FortiWLM was identified as a crucial factor that contributed to the severity of the vulnerability. Hanley explained how an attacker could abuse the arbitrary log file read to obtain the session ID of a user, thereby potentially gaining unauthorized access to authenticated endpoints. This revelation underscores the significance of prompt patching to mitigate potential risks.
According to NIST’s National Vulnerability Database (NVD), the flaw could also facilitate the execution of unauthorized code or commands through specially crafted web requests. This capability, linked to access to authenticated endpoints, further accentuates the criticality of addressing the security vulnerability promptly.
The impacted versions of FortiWLM include 8.6.0 through 8.6.5 (resolved in 8.6.6 or higher) and versions 8.5.0 through 8.5.4 (fixed in 8.5.5 or above).
In a comprehensive analysis, Hanley emphasized a potential exploit chain by combining CVE-2023-34990 with an authenticated command-injection vulnerability patched by Fortinet last year (CVE-2023-48782, CVSS 8.8), creating another pathway for achieving RCE. The amalgamation of these vulnerabilities could allow an attacker to inject a malicious string into a request to a specific endpoint, enabling execution with root privileges.
Hanley elucidated that the blended exploitation of the unauthenticated arbitrary log file read and the authenticated command injection could grant an unauthenticated attacker the ability to achieve remote code execution within the context of root access. This critical insight underscores the urgent need for administrators to apply the necessary patches to Fortinet appliances to prevent potential exploitation.
Given Fortinet’s status as a prime target for cyberattacks, highlighted by recent disclosures of critical vulnerabilities, administrators are strongly advised to prioritize securing their Fortinet infrastructure. Proactive measures, such as timely patching and vulnerability mitigation, are crucial in fortifying defenses against potential security breaches.