_KonstantinNechaev-Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,0&ssl=1&description=Fortinet+Addresses+Unpatched+Vital+RCE+Vector){kind=link}
_KonstantinNechaev-Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,630&ssl=1 "Fortinet Addresses Unpatched Vital RCE Vector")
NEWS BRIEF
Fortinet has lastly patched a important safety vulnerability in its Wi-fi LAN Supervisor (FortiWLM) that would enable unauthenticated delicate data disclosure. And, when chained with one other problem, it might result in distant code execution (RCE), a researcher warned.
The bug (CVE-2023-34990, CVSS 9.6) was first disclosed in March, when it was described as an “unauthenticated restricted file learn vulnerability” with no CVE.
“This problem outcomes from the shortage of enter validation on request parameters permitting an attacker to traverse directories and browse any log file on the system,” Horizon3.ai safety researcher Zach Hanley, who reported the bug to Fortinet, famous in March. He has confirmed to Darkish Studying that the bug patched this week is identical problem.
He added, “Fortunately for an attacker, the FortiWLM has very verbose logs — and logs the session ID of all authenticated customers. Abusing the above arbitrary log file learn, an attacker can now acquire the session ID of a consumer and login and in addition abuse authenticated endpoints.”
NIST’s Nationwide Vulnerability Database (NVD) has famous that the flaw may also be used to “execute unauthorized code or instructions through specifically crafted Net requests” — due to the entry it gives to these authenticated endpoints.
The bug impacts FortiWLM variations 8.6.0 by way of 8.6.5 (fastened in 8.6.6 or above) and variations 8.5.0 by way of 8.5.4 (fastened in 8.5.5 or above).
Combining Fortinet Vulnerabilities to Obtain RCE
Hanley again in March flagged a possible exploit chain as properly: When CVE-2023-34990 is mixed with an authenticated command-injection bug that Fortinet patched final yr (CVE-2023-48782, CVSS 8.8), it turns into one other recipe for RCE.
This second problem permits an attacker who has used CVE-2023-34990 to realize entry to an authenticated endpoint to, from there, inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf_switches.cgi endpoint that can be executed with root privileges.
“Combining each the unauthenticated arbitrary log file learn and this authenticated command injection, an unauthenticated attacker can acquire distant code execution within the context of root,” Hanley defined. “This endpoint is accessible for each low privilege customers and admins.”
Admins ought to patch the Fortinet home equipment ASAP, given the seller’s standing as a most-favored cyberattack goal.