PSIRT Advisories
Use of hardcoded credentials for communication between Meru access points and FortiWLC
Summary
FortiWLC included two hardcoded accounts which were used by Meru Access Points to report core dumps; these accounts had read/write privileges over various parts of the system.
Starting with FortiWLC 7.0.13 and FortiWLC 8.4.0, the accounts are now completely removed and do not persist over firmware upgrade.
Affected Products
- FortiWLC 7.0.11 and lower in the 7.x branch
- FortiWLC 8.3.3 and lower in the 8.x branch
Solutions
- FortiWLC 7.x installations must be upgraded to FortiWLC 7.0.13 or higher
- FortiWLC 8.x installations must be upgraded to FortiWLC 8.4.0 or higher
Acknowledgement
Fortinet is pleased to thank University of Toronto for reporting this vulnerability under responsible disclosure.