CVE-2023-34990 (CVSS 9.8): Critical Security Flaw Found in Fortinet FortiWLM

Fortinet, a leading cybersecurity vendor, has issued urgent advisories regarding several critical vulnerabilities affecting its popular products, including FortiClient VPN, FortiManager, and FortiWLM. These flaws range from password exposure to remote code execution and unauthorized file access, potentially putting millions of users at risk.

CVE-2024-50570 (CVSS 5.0): FortiClient VPN Exposes User Credentials:

A vulnerability (CVE-2024-50570) in FortiClient for Windows and Linux allows attackers to extract VPN passwords from memory. This flaw stems from the improper handling of sensitive information by JavaScript’s garbage collector, enabling malicious actors to potentially gain unauthorized access to VPN connections.

Fortinet urges users to upgrade to the latest versions of FortiClient (7.4.3 or above for 7.4, 7.2.8 or above for 7.2, and 7.0.14 or above for 7.0) to address this issue. As a temporary workaround, enabling two-factor authentication and ensuring the FortiClient console closes automatically after VPN connection establishment can mitigate the risk.

CVE-2024-48889 (CVSS 7.2): FortiManager Vulnerable to Remote Code Execution:

A vulnerability (CVE-2024-48889) in FortiManager, a centralized security management platform, could allow authenticated attackers to execute arbitrary code remotely. This flaw, with a CVSS score of 7.2, arises from improper neutralization of special elements in OS commands, potentially granting attackers significant control over affected systems.

To address this vulnerability, Fortinet has released updates for various FortiManager versions, including 7.6, 7.4, 7.2, 7.0, and 6.4. Users are strongly advised to upgrade to the latest versions immediately.

CVE-2023-34990 (CVSS 9.8): FortiWLM Suffers from Unauthenticated File Access:

A critical vulnerability (CVE-2023-34990) in FortiWLM, a wireless LAN management solution, allows unauthenticated attackers to read sensitive files. This flaw, with a CVSS score of 9.8, stems from a relative path traversal issue, enabling attackers to gain unauthorized access to confidential information.

Fortinet credits security researcher Zach Hanley of Horizon3.ai for responsibly disclosing this vulnerability. In a blog, the researcher published the technical details.

Leak Session ID with Unauthenticated Arbitrary Log File Read | Source: Horizon3.ai

The vulnerability stems from a lack of input validation on request parameters sent to a specific endpoint: /ems/cgi-bin/ezrf_lighttpd.cgi. This endpoint, implemented as a Perl script, fails to validate the imagename parameter properly. As a result, attackers can construct requests that include path traversal sequences (../), enabling them to access files outside the intended directory.

Updates are available for FortiWLM versions 8.6 and 8.5, and users should upgrade to the latest versions to mitigate this risk.

Urgent Action Needed:

Organizations and individuals relying on Fortinet products should prioritize applying the necessary updates to protect their systems and data from potential attacks.

Fortinet’s advisories provide detailed information on affected versions, remediation steps, and workarounds. Users are encouraged to consult these resources and take appropriate action to secure their environments.

Related Posts:

• Critical Fortinet Vulnerability Exploited: Hackers Deploy Remote Control Tools and Backdoors
• PoC Exploit Released for Critical Fortinet FortiClient EMS CVE-2023-48788 Flaw
• CVE-2023-48788 Exploited: Researcher Details Cyberattacks on Fortinet EMS
• Critical Vulnerabilities in FortiSIEM and FortiWLM