PSIRT Advisory

Use of hardcoded credentials for communication between Meru access points and FortiWLC

Summary

FortiWLC included two hardcoded accounts which were used by Meru Access Points to report core dumps; these accounts had read/write privileges over various parts of the system.
Starting with FortiWLC 7.0.13 and FortiWLC 8.4.0, the accounts are now completely removed and do not persist over firmware upgrade.

Impact

Unauthorized read/write remote access

Affected Products

  • FortiWLC 7.0.11 and lower in the 7.x branch
  • FortiWLC 8.3.3 and lower in the 8.x branch

Solutions

  • FortiWLC 7.x installations must be upgraded to FortiWLC 7.0.13 or higher
  • FortiWLC 8.x installations must be upgraded to FortiWLC 8.4.0 or higher

Acknowledgement

Fortinet is pleased to thank University of Toronto for reporting this vulnerability under responsible disclosure.