PSIRT Advisories

FortiWLC PAM.log authenticated user information exposure

Summary

The pam.log file generated by FortiWLC contains authenticated users credentials (local admin and users authenticated against external servers). Users with admin privileges can access the pam.log file and read the credentials.

description-logo Description

The pam.log file generated by FortiWLC contains authenticated users credentials (local admin and users authenticated against external servers). Users with admin privileges can access the pam.log file and read the credentials.

Impact Detail

NOT RENDERED BY THE CMS

Affected Products

FortiWLC 6.1-2-29 and below, 7.0-9-1, 7.0-10-0, 8.0-5-0, 8.1-2-0, and 8.2-4-0

Solutions

Depending on your version, apply the following patches:


Below 6.1-2-29

Update to 7.0-10-0 or above, and apply the corresponding patch.


6.1-2-29

meru-6.1-2-29-patch-bug0388249


7.0-9-1:

meru-7.0-9-1-patch-bug0388249


7.0-10-0:

meru-7.0-10-0-patch-bug0388249


8.0-5-0:

meru-8.0-5-0-patch-bug0388249


8.1-2-0:

meru-8.1-2-0-patch-bug0388249


8.2-4-0:

meru-8.2-4-0-patch-bug0388249

Acknowledgement

Fortinet is pleased to thank University of Toronto for reporting this vulnerability under responsible disclosure.