Use of hardcoded credentials for communication between Meru access points and FortiWLC
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-17-274
Final
1
1
2018-05-04T00:00:00
Current version
2018-05-04T00:00:00
2018-05-04T00:00:00
FortiWLC included two hardcoded accounts which were used by Meru Access Points to report core dumps; these accounts had read/write privileges over various parts of the system. Starting with FortiWLC 7.0.13 and FortiWLC 8.4.0, the accounts are now completely removed and do not persist over firmware upgrade.
Unauthorized read/write remote access
* FortiWLC 7.0.11 and lower in the 7.x branch * FortiWLC 8.3.3 and lower in the 8.x branch
* FortiWLC 7.x installations must be upgraded to FortiWLC 7.0.13 or higher * FortiWLC 8.x installations must be upgraded to FortiWLC 8.4.0 or higher
Fortinet is pleased to thank University of Toronto for reporting this vulnerability under responsible disclosure.
FortiWLC 8.3.3
FortiWLC 8.3.2
FortiWLC 8.3.1
FortiWLC 8.3.0
FortiWLC 8.2.7
FortiWLC 8.2.6
FortiWLC 8.2.5
FortiWLC 8.2.4
FortiWLC 8.1.3
FortiWLC 8.1.2
FortiWLC 8.0.6
FortiWLC 8.0.5
FortiWLC 7.0.15
FortiWLC 7.0.13
FortiWLC 7.0.11
Use of hardcoded credentials for communication between Meru access points and FortiWLC
CVE-2017-17539
CVE-2017-17539
FortiWLC-8.3.3
FortiWLC-8.3.2
FortiWLC-8.3.1
FortiWLC-8.3.0
FortiWLC-8.2.7
FortiWLC-8.2.6
FortiWLC-8.2.5
FortiWLC-8.2.4
FortiWLC-8.1.3
FortiWLC-8.1.2
FortiWLC-8.0.6
FortiWLC-8.0.5
FortiWLC-7.0.15
FortiWLC-7.0.13
FortiWLC-7.0.11
9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-17-274
Use of hardcoded credentials for communication between Meru access points and FortiWLC
Reference>