7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.076 Low
EPSS
Percentile
94.2%
Fortinet FortiGate and FortiWiFi appliances are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122).
Fortinet FortiGate and FortiWiFi 4.00.6 and possibly earlier versions are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122). The vulnerabilities exist in the FortiManager service running on TCP port 541.
CWE-300**: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’)**** -**CVE-2014-0351
The FortiManager remote service relies on client-side SSL certificates to encrypt traffic between the client and server. It is possible for a client to specify the SSL cipher suite to use for the connection, including a cipher suite that does not use certificates for authentication, such as ADH-AES256-SHA. This could allow an adjacent unprivileged attacker to man-in-the-middle communications between the client and FortiManager service.
CWE-122**: Heap-based Buffer Overflow -**CVE-2014-2216
The FortiManager remote service uses a protocol with a message format that will allocate space for eight argument pointers on the heap. However, when parsing the message format an arbitrary number of argument pointers are accepted. This can cause a heap-based buffer overflow. A remote, unprivileged attacker may be able to exploit this vulnerability to run arbitrary code on the appliance.
The CVSS score reflects CVE-2014-2216.
A remote unauthenticated attacker may be able to man-in-the-middle traffic between the client and FortiManager service or execute arbitrary code on the appliance.
Fortinet recommends upgrading to FortiOS 4.3.16, 5.0.8, or 5.2.0 to receive the patch. Additionally, please consider the following workaround.
Disable the remote management service
The FortiManager remote service that runs on port 541 can be disabled.
730964
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: April 10, 2014
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 07, 2014 Updated: May 07, 2014
Unknown
We have not received a statement from the vendor.
Group | Score | Vector |
---|---|---|
Base | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
Temporal | 3.8 | E:U/RL:OF/RC:C |
Environmental | 0.9 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Gregor Kopf of Recurity Labs GmbH for reporting this vulnerability.
This document was written by Jared Allar and Todd Lewellen.
CVE IDs: | CVE-2014-0351, CVE-2014-2216 |
---|---|
Date Public: | 2014-08-19 Date First Published: |