CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.2%
The Fortinet FortiWAN (Ascernlink) network load balancer appliance contains multiple vulnerabilities.
According to the reporter, the Fortinet FortiWAN network load balancer appliance contains the following vulnerabilities.
CWE-78: Improper Neutralization of Special Elements used in an OS Command (βOS Command Injectionβ) - CVE-2016-4965
The diagnosis_control.php
page is vulnerable to command injection via the "graph"
GET parameter. A non-administrative authenticated attacker having access privileges to the nslookup
functionality can inject arbitrary operating system commands and execute them in the context of the root user.
CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-4966
The diagnosis_control.php
page has a tcpdump
function, that can capture FortiWAN data packets and download captured packets to local host for analysis and debug. A non-administrative authenticated attacker having access privileges to change the HTTP Get param βUserName
β to βAdministratorβ to download a PCAP file of all captured packets from the FortinWAN device since the tcpdump
function was activated.
CWE-200: Information Exposure - CVE-2016-4967
An authenticated but low privileged user may obtain a backup of the device configuration by visiting the URL /script/cfg_show.php
of the FortiWAN appliance, or a PCAP of tcpdump
data by visiting /script/system/tcpdump.php
.
CWE-200: Information Exposure - CVE-2016-4968
An authenticated but low privileged user may perform a GET request of the /linkreport/tmp/admin_global
page of the FortiWAN appliance, and obtain administrator login cookie.
CWE-79: Improper Neutralization of Input During Web Page Generation (βCross-site Scriptingβ) - CVE-2016-4969
The /script/statistics/getconn.php
fileβs IP parameter is vulnerable to cross-site scripting.
The CVSS score below is based on CVE-2016-4965.
An authenticated but low-privileged (non-administrator) account may be able to execute OS commands in the root context, capture network traffic through the FortiWAN device, obtain appliance system configuration, or conduct cross-site scripting attacks against administrator users.
Apply an update
Fortinet has released FortiWAN 4.2.5 which addresses all issues. For more information, please see the changelog. Affected users are encouraged to update as soon as possible.
724487
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 14, 2016 Updated: September 09, 2016
Statement Date: September 09, 2016
Affected
We have not received a statement from the vendor.
FortiWAN version 4.2.5 addresses all vulnerabilities listed in VU#724487. Please see the release notes below for more information.
Group | Score | Vector |
---|---|---|
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 8 | E:POC/RL:U/RC:UR |
Environmental | 6.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Virgoteam (Fan-Syun Shih, Kun-Xian Lin, and Yu-Chi Ding) for reporting these vulnerabilities.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2016-4965, CVE-2016-4966, CVE-2016-4967, CVE-2016-4968, CVE-2016-4969 |
---|---|
Date Public: | 2016-09-06 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.2%