On 12 May 2023, Horizon3 researcher Zach Hanley found an unauthenticated limited file read vulnerability in FortiWLM that he promptly disclosed to Fortinet. On 18 December 2024, it was given a name—CVE-2023-34990—and Fortinet released an advisory warning users of its severity.
This flaw brought with it a critical CVSS rating of 9.8, allowing unauthenticated attackers to use improper input validation to read sensitive log files on affected systems. These files frequently contain administrator session IDs, which attackers can use to bypass authentication and gain privileged access to victims’ devices.
Technical Details
CVE-2023-34990’s limited file read can be found at the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint, where a threat actor can traverse paths to read arbitrary system log files. The offending endpoint is located at /opt/meru/etc/ws/cgi-bin/ezrf_lighttpd.cgi and does not correctly validate request parameters when parsing them.
One such parameter is op_type. When a request sets op_type to upgradelogs, control is given to the upgradelogs() function, which returns the content of the log file specified within the variable $filename in the response. Using the imagename parameter, an attacker can perform a simple path traversal like so:
/ems/cgi-bin/ezrf_lighttpd.cgi?op_type=upgradelogs&imagename=../../../../../../../../data/apps/nms/logs/httpd_error_log
The response to this request should contain an administrator’s session ID in the set-cookie header, which can now be used to take over a vulnerable system.
Affected Products
| Version | Affected |
|---|---|
| FortiWLM 8.6 | 8.6.0 through 8.6.5 |
| FortiWLM 8.5 | 8.5.0 through 8.5.4 |
Impact
Exploitation of this CVE can lead to network-wide disruptions for organizations that use FortiWLM, since unauthenticated attackers can use it to gain complete access to devices, and even chain it with CVE-2023-48782) to perform remote code execution in the context of root.
Solutions
Fortinet Wireless LAN Manager versions 8.6.6 and 8.5.5 contain patches. Fortinet recommends immediately upgrading to either of these (or any newer release).
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.