Full Report
Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information. The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0. "A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files," the
Analysis Summary
# Vulnerability: Critical Relative Path Traversal in FortiWLM Allowing File Read and Potential Admin Access
## CVE Details
- CVE ID: CVE-2023-34990
- CVSS Score: 9.6 (Critical)
- CWE: CWE-23 (Relative Path Traversal)
## Affected Systems
- Products: FortiWLM (Fortinet Wireless LAN Manager)
- Versions:
- 8.6.0 through 8.6.5
- 8.5.0 through 8.5.4
- Configurations: Not specified, assumed default installation of vulnerable versions.
## Vulnerability Description
The vulnerability is a Relative Path Traversal flaw residing in FortiWLM. This flaw allows a remote, unauthenticated attacker to read sensitive files on the underlying operating system. The vulnerability is triggered via crafted web requests to the `/ems/cgi-bin/ezrf_lighttpd.cgi` endpoint. Lack of proper input validation on request parameters enables directory traversal, allowing the reading of arbitrary log files. Successful exploitation can lead to the disclosure of session IDs, which are static between user sessions. This allows an attacker to hijack these sessions and potentially gain administrative permissions to the appliance. While initially disclosed as a limited file read vulnerability, the NIST NVD description suggests it could also be exploited for unauthorized code or command execution via specially crafted web requests.
## Exploitation
- Status: PoC available (Originally reported by Horizon3.ai researcher)
- Complexity: Likely Low, as it requires no authentication.
- Attack Vector: Network
## Impact
- Confidentiality: High (Reading sensitive files, session IDs)
- Integrity: High (Potential to execute unauthorized code/commands)
- Availability: Medium to High (Depending on the commands executed)
## Remediation
### Patches
- FortiWLM versions 8.6.6 or above
- FortiWLM versions 8.5.5 or above
### Workarounds
No specific workarounds were detailed in the provided context, but typical mitigation for path traversal involves strict input validation on relevant parameters or restricting network access to the affected endpoint if possible.
## Detection
- Indicators of Compromise: System logs indicating unusual access patterns to internal files (e.g., configuration or log files) via the specified endpoint (`/ems/cgi-bin/ezrf_lighttpd.cgi`). Monitor for successful or attempted session hijacking attempts post-exploitation.
- Detection methods and tools: Network monitoring tools or intrusion detection systems (IDS) looking for traffic targeting the `/ems/cgi-bin/ezrf_lighttpd.cgi` URI with payload indicators of directory traversal sequences (e.g., `../../`).
## References
- Vendor Advisory: fortiguard dot fortinet dot com/psirt/FG-IR-23-144
- NVD Entry: nvd dot nist dot gov/vuln/detail/CVE-2023-34990
- Researcher Disclosure: horizon3 dot ai/attack-research/disclosures/fortiwlm-the-almost-story-for-the-forti-forty