Encircle News!

Retro Game Arcade
, , ,

Fortinet flags some worrying security bugs coming back from the dead

Latest from TechRadar US in News,opinion

  • A Fortinet flaw, fixed in September 2023, was just flagged in a security bulletin
  • The bug was first discovered in May 2023r, and allows crooks to take over vulnerable endpoints
  • Users are advised to apply the patch immediately

Fifteen months after first patching, Fortinet has released a security bulletin to flag a critical severity flaw plaguing its Fortinet Wireless Manager (FortiWLM) product.

The flaw can be used to take over the devices remotely, so if you’re using an older version, make sure to update it immediately.

FortiWLM is a centralized platform for managing, monitoring, and optimizing Fortinet wireless access points and controllers, enabling secure and scalable wireless network deployments. It is usually used by large enterprises and government agencies.

Fixed in September

In May 2023, security researcher from Horizon3, Zach Hanley, discovered a relative path traversal flaw affecting the product. It is tracked as CVE-2023-34990, and was given a severity score of 9.8/10 (critical). The bug stems from improper input validation, which allows attackers to read sensitive log files from the system. Since these log files often contain administrator session IDs they can be abused to grant the attackers remote access to the vulnerable endpoint.

“Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system,” Hanley said at the time.

“Luckily for an attacker, the FortiWLM has very verbose logs – and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints.”

The flaw affects FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4.

However, despite discovering the bug and reporting it to Fortinet, the company did not publicly address it, prompting Hanley to disclose his findings, and release a proof-of-concept (PoC), in March 2023. Earlier this week, Fortinet published a new security bulletin, in which it stated that the bug was fixed in September last year.

That means that the flaw remained a zero-day for roughly four months, and remained completely out of user sight for 15 months.

Via BleepingComputer

You might also like

https://www.techradar.com/pro/security/fortinet-flags-some-worrying-security-bugs-coming-back-from-the-dead

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Featured Posts

December 2024
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

About Us

Welcome to encircle News! We are a cutting-edge technology news company that is dedicated to bringing you the latest and greatest in everything tech. From automobiles to drones, software to hardware, we’ve got you covered.

At encircle News, we believe that technology is more than just a tool, it’s a way of life. And we’re here to help you stay on top of all the latest trends and developments in this ever-evolving field. We know that technology is constantly changing, and that can be overwhelming, but we’re here to make it easy for you to keep up.

We’re a team of tech enthusiasts who are passionate about everything tech and love to share our knowledge with others. We believe that technology should be accessible to everyone, and we’re here to make sure it is. Our mission is to provide you with fun, engaging, and informative content that helps you to understand and embrace the latest technologies.

From the newest cars on the road to the latest drones taking to the skies, we’ve got you covered. We also dive deep into the world of software and hardware, bringing you the latest updates on everything from operating systems to processors.

So whether you’re a tech enthusiast, a business professional, or just someone who wants to stay up-to-date on the latest advancements in technology, encircle News is the place for you. Join us on this exciting journey and be a part of shaping the future.

Podcasts

TWiT 1010: The Densest State in the US – TikTok Ban, Drones Over Jersey, GM Quits Robotaxis This Week in Tech (Audio)

So You Want to Solve the NJ Drone Mystery? Our Expert Has Some Ideas Infowars Sale to The Onion Rejected by Federal Bankruptcy Judge Federal appeals court declines to temporarily block ban on TikTok, teeing up showdown at SCOTUS over controversial law WordPress parent company must stop blocking WP Engine, judge rules Crypto's Legacy Is Finally Clear Tech Industry and CEOs Curry Favor With Trump Ahead of His Inauguration AI Is Detecting More Breast Cancer Cases, Study Suggests Huge randomized trial of AI boosts discovery — at least for good scientists GM Calls It Quits on Mary Barra's $50 Billion Robotaxi Dream You Can Buy a Car on Amazon Now Host: Leo Laporte Guests: Cathy Gellis, Mike Elgan, and Emily Forlini Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: mintmobile.com/twit shopify.com/twit
  1. TWiT 1010: The Densest State in the US – TikTok Ban, Drones Over Jersey, GM Quits Robotaxis
  2. TWiT 1009: Andy Giveth & Bill Taketh Away – Trump's Tech Titans, Crypto Boom, TikTok's US Ban, Intel CEO Exits
  3. TWiT 1008: Internet Legal – Australia's Social Media Ban for Kids, Smart Home Nightmare, Bluesky's Ascent
  4. TWiT 1007: All the Hotdogs in the World – China's "Salt Typhoon" Hack, Google on the Chopping Block, Recall AI
  5. TWiT 1006: Underwater Alien Civilizations – Bluesky Growth, Tyson Vs. Paul, AI Granny