Affected product(s):

CVE-2023-34990:

• FortiWLM 8.6, 8.6.0 a 8.6.5
• FortiWLM 8.5, 8.5.0 a 8.5.4

CVE-2024-48782:

• FortiWLM 8.6, 8.6.0 a 8.6.5

CVE-2024-48889:

• FortiManager 7.6.0 (fixed in 7.6.1 or later)
• FortiManager versions 7.4.0 to 7.4.4 (fixed in 7.4.5 or later)
• FortiManager Cloud versions 7.4.1 to 7.4.4 (fixed in 7.4.5 or later)
• FortiManager versions 7.2.3 to 7.2.7 (fixed in 7.2.8 or later)
• FortiManager Cloud versions 7.2.1 to 7.2.7 (fixed in 7.2.8 or later)
• FortiManager versions 7.0.5 to 7.0.12 (fixed in 7.0.13 or later)
• FortiManager Cloud versions 7.0.1 to 7.0.12 (fixed in 7.0.13 or later) FortiManager versions 6.4.10 to 6.4.14 (fixed in 6.4.15 or later)
• FortiManager versions 6.4.10 to 6.4.14 (fixed in 6.4.15 or later)

Description

Several vulnerabilities have been published for Fortinet products that can combine and become critical. Both vulnerabilities affect Fortinet’s Wireless LAN Manager (FortiWLM) software, the first being a path-traversal vulnerability, named CVE-2023-34990 with a CVSSv3 score of 9.6 with a criticality of Critical. And the other being a command injection vulnerability, with a High criticality and named CVE-2023-48782 with a CVSSv3 score of 8.6, which can be combined and could lead to an RCE.

A successful exploitation of CVE-2023-34990 could allow the threat actor to read FortiWLM log files and obtain a user’s session ID and login, allowing them to exploit authenticated endpoints as well. Attackers could take advantage of the fact that web session IDs are static between user sessions to hijack them and gain administrative permissions on the device.

An attacker could also combine CVE-2023-34990 with CVE-2023-48782, an authenticated command injection flaw that has also been fixed in FortiWLM 8.6.6, to obtain remote code execution in the root context.

In addition, the Fortinet team has fixed another vulnerability affecting the FortiManager product, the same one named as CVE-2024-48889 with CVSS score: 7.2 for type OS command injection. Fortinet also noted that several older models, 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E, are affected by CVE-2024-48889 as long as the “fmg-status” is enabled.

We recommend applying security measures on these products, especially since these are security products commonly used in organizations, they can be used as an entry vector by attackers.

Solution

The vendor has released security patches for FortiWLM and FortiManager products, you can refer to the update links provided by the manufacturer:

• FortiWLM 
  • Version 8.6 https://docs.fortinet.com/product/fortiwlm/8.6
  • Version 8.5 https://docs.fortinet.com/product/fortiwlm/8.5
• FortiManager
  • https://docs.fortinet.com/product/fortimanager/7.6

Additional information:

• https://www.fortiguard.com/psirt/FG-IR-23-144
• https://www.cve.org/CVERecord?id=CVE-2023-34990
• https://thehackernews.com/2024/12/fortinet-warns-of-critical-fortiwlm.html