Fortinet Wireless Manager: Information on critical vulnerability withheld
Attackers were able to attack Fortinet Wireless Manager and hijack admin sessions. The network management tool was vulnerable for several months.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Admins who manage networks with Fortinet Wireless Manager (FortiWLM) should ensure that their instances are up-to-date and thus protected against possible attacks. A security researcher from Horizon3 reported a security vulnerability to Fortinet back in May 2023. The security patch was then released in September 2023, but information that the patch and the vulnerability exist at all has only now become known.
The danger
In an article from March of this year, the security researcher wrote about the "critical" vulnerability (CVE-2023-34990), among other things. At that time, however, there was no CVE number.
Because input is not sufficiently checked, attackers can use certain requests to exploit the vulnerability without authentication. If such an attack succeeds, logs can be viewed that may contain admin session IDs. Equipped with this, attackers are able to gain full control over devices.
The forgotten gap
In a warning message, Fortinet now states that versions 8.5.0 up to and including 8.5.4 and 8.6.0 up to and including 8.6.5 are at risk. They assure us that they have secured versions 8.5.5 and 8.6.6, which were released in September 2023.
Videos by heise
It is currently not known why Fortinet remained silent about the vulnerability for so long. Given that FortiWLM is a worthwhile target for attackers to compromise corporate networks, the late communication seems grossly negligent. After all, admins could still be using vulnerable versions due to a lack of warning from the company in the past. It is unclear whether there have already been attacks. Fortinet also does not provide admins with any information on how they can recognize attacks that have already occurred.
(des)
