www.belgium.be Logo of the federal government

WARNING: CRITICAL UNAUTHENTICATED RCE IN FORTINET FORTIWLM, PATCH IMMEDIATELY

Référence: 
Advisory #2024-295
Version: 
1.0
Logiciels concernés : 
FortiWLM 8.6 (8.6.0 through 8.6.5)
FortiWLM 8.5 (8.5.0 through 8.5.4)
Type: 
Remote code execution
CVE/CVSS: 

CVE-2024-49194: CVSS 7.3 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

https://www.fortiguard.com/psirt/FG-IR-23-144

Risques

An unauthenticated attacker might gain access to sensitive files through a path traversal vulnerability, potentially leading to execution of unauthorized code or commands. This CVE has a high impact on all vertices of the CIA triad.

Description

An unauthenticated remote attacker can exploit a path traversal vulnerability to read sensitive log files and obtain user session IDs through the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint. The session IDs remain the same between user sessions, allowing attackers to hijack them and gain administrative access. 

An attacker could use additional exploits to gain remote code execution with root privileges such as CVE-2023-48782 if the system has not received any updates.

Actions recommandées

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

  • FortiWLM 8.6: Upgrade to 8.6.6 or above 
  • FortiWLM 8.5: Upgrade to 8.5.5 or above 

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/nl/cert/een-incident-melden.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

https://thehackernews.com/2024/12/fortinet-warns-of-critical-fortiwlm.html