Missing Authentication Vulnerability in FortiOS CAPWAP Daemon Allows Local Configuration Write
Fortinet disclosed a missing authentication vulnerability in the CAPWAP daemon of FortiOS and FortiSwitchManager, allowing local unauthenticated attackers to write device configuration.
Fortinet has disclosed a missing authentication for critical function vulnerability (CWE-306) in the CAPWAP daemon of FortiOS and FortiSwitchManager. The flaw, assigned a CVSS score of 6.2, could allow a local unauthenticated attacker on the same IP subnet to write device configuration via specially crafted requests. However, exploitation requires the targeted FortiGate device to run a specific, non-default configuration, limiting the attack surface.
The vulnerability affects multiple FortiOS versions, including 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.0 through 7.0.17, and all versions of 6.4 and 6.2.9 through 6.2.17. FortiSwitchManager is also impacted. Fortinet has released patches for supported versions, with upgrades to 7.6.4, 7.4.9, 7.2.12, and 7.0.18 recommended. Users on older branches are advised to migrate to a fixed release.
As a workaround, Fortinet recommends disabling security fabric access on interfaces, allowing only legitimate devices in the Managed FortiAPs list, and removing inter-controller-peer elements from the wireless controller configuration. Notably, if auto-auth-extension-device is enabled on an interface, any device can be authorized, allowing exploitation without administrator authorization. This setting is disabled by default. If inter-controller-peer is configured, changing the inter-controller-key is strongly advised even on fixed versions.
The vulnerability was internally discovered and reported by Gwendal Guégniaud of the Fortinet Product Security Team. No CVE ID was assigned in the advisory. This disclosure follows a recent critical out-of-bounds write vulnerability in the same CAPWAP daemon, highlighting ongoing security scrutiny of Fortinet's wireless controller functionality.
While the CVSS score is moderate, the ability for an unauthenticated attacker to write device configuration from the local subnet could lead to further compromise, especially in environments where the non-default configuration is present. Organizations using FortiGate devices should review their configurations and apply patches promptly to mitigate risk.