NEWS BRIEF
Fortinet has lastly patched a crucial safety vulnerability in its Wi-fi LAN Supervisor (FortiWLM) that would permit unauthenticated delicate data disclosure. And, when chained with one other concern, it may result in distant code execution (RCE), a researcher warned.
The bug (CVE-2023-34990, CVSS 9.6) was first disclosed in March, when it was described as an “unauthenticated restricted file learn vulnerability” and not using a CVE.
“This concern outcomes from the dearth of enter validation on request parameters permitting an attacker to traverse directories and browse any log file on the system,” Horizon3.ai safety researcher Zach Hanley, who reported the bug to Fortinet, noted in March. He has confirmed to Darkish Studying that the bug patched this week is identical concern.
He added, “Fortunately for an attacker, the FortiWLM has very verbose logs — and logs the session ID of all authenticated customers. Abusing the above arbitrary log file learn, an attacker can now receive the session ID of a consumer and login and in addition abuse authenticated endpoints.”
NIST’s Nationwide Vulnerability Database (NVD) has noted that the flaw will also be used to “execute unauthorized code or instructions by way of specifically crafted Net requests” — because of the entry it supplies to these authenticated endpoints.
The bug impacts FortiWLM variations 8.6.0 by way of 8.6.5 (mounted in 8.6.6 or above) and variations 8.5.0 by way of 8.5.4 (mounted in 8.5.5 or above).
Combining Fortinet Vulnerabilities to Obtain RCE
Hanley again in March flagged a possible exploit chain as nicely: When CVE-2023-34990 is mixed with an authenticated command-injection bug that Fortinet patched final yr (CVE-2023-48782, CVSS 8.8), it turns into one other recipe for RCE.
This second concern permits an attacker who has used CVE-2023-34990 to achieve entry to an authenticated endpoint to, from there, inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf_switches.cgi endpoint that can be executed with root privileges.
“Combining each the unauthenticated arbitrary log file learn and this authenticated command injection, an unauthenticated attacker can receive distant code execution within the context of root,” Hanley defined. “This endpoint is accessible for each low privilege customers and admins.”
Admins ought to patch the Fortinet home equipment ASAP, given the seller’s standing as a most-favored cyberattack target.
Source link