FortiWLC PAM.log authenticated user information exposure
Summary
The pam.log file generated by FortiWLC contains authenticated users credentials (local admin and users authenticated against external servers). Users with admin privileges can access the pam.log file and read the credentials.
Description
The pam.log file generated by FortiWLC contains authenticated users credentials (local admin and users authenticated against external servers). Users with admin privileges can access the pam.log file and read the credentials.
Impact Detail
NOT RENDERED BY THE CMS
Affected Products
FortiWLC 6.1-2-29 and below, 7.0-9-1, 7.0-10-0, 8.0-5-0, 8.1-2-0, and 8.2-4-0
Solutions
Depending on your version, apply the following patches:
Below 6.1-2-29
Update to 7.0-10-0 or above, and apply the corresponding patch.
6.1-2-29
meru-6.1-2-29-patch-bug0388249
7.0-9-1:
meru-7.0-9-1-patch-bug0388249
7.0-10-0:
meru-7.0-10-0-patch-bug0388249
8.0-5-0:
meru-8.0-5-0-patch-bug0388249
8.1-2-0:
meru-8.1-2-0-patch-bug0388249
8.2-4-0:
meru-8.2-4-0-patch-bug0388249
Acknowledgement
Fortinet is pleased to thank University of Toronto for reporting this vulnerability under responsible disclosure.Â