CERTVU:730964FortiNet FortiGate and FortiWiFi appliances contain multiple vulnerabilities
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.076 Low
EPSS
Percentile
94.2%
Overview
Fortinet FortiGate and FortiWiFi appliances are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122).
Description
Fortinet FortiGate and FortiWiFi 4.00.6 and possibly earlier versions are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122). The vulnerabilities exist in the FortiManager service running on TCP port 541.
CWE-300**: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’)**** -**CVE-2014-0351
The FortiManager remote service relies on client-side SSL certificates to encrypt traffic between the client and server. It is possible for a client to specify the SSL cipher suite to use for the connection, including a cipher suite that does not use certificates for authentication, such as ADH-AES256-SHA. This could allow an adjacent unprivileged attacker to man-in-the-middle communications between the client and FortiManager service.
CWE-122**: Heap-based Buffer Overflow -**CVE-2014-2216
The FortiManager remote service uses a protocol with a message format that will allocate space for eight argument pointers on the heap. However, when parsing the message format an arbitrary number of argument pointers are accepted. This can cause a heap-based buffer overflow. A remote, unprivileged attacker may be able to exploit this vulnerability to run arbitrary code on the appliance.
The CVSS score reflects CVE-2014-2216.
Impact
A remote unauthenticated attacker may be able to man-in-the-middle traffic between the client and FortiManager service or execute arbitrary code on the appliance.
Solution
Fortinet recommends upgrading to FortiOS 4.3.16, 5.0.8, or 5.2.0 to receive the patch. Additionally, please consider the following workaround.
Disable the remote management service
The FortiManager remote service that runs on port 541 can be disabled.
Vendor Information
730964
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Fortinet, Inc. Affected
Updated: April 10, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Recurity Unknown
Notified: May 07, 2014 Updated: May 07, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| Temporal | 3.8 | E:U/RL:OF/RC:C |
| Environmental | 0.9 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- <https://cwe.mitre.org/data/definitions/122.html>
- <https://cwe.mitre.org/data/definitions/300.html>
- <http://www.fortiguard.com/advisory/FG-IR-14-006/>
Acknowledgements
Thanks to Gregor Kopf of Recurity Labs GmbH for reporting this vulnerability.
This document was written by Jared Allar and Todd Lewellen.
Other Information
| CVE IDs: | CVE-2014-0351, CVE-2014-2216 |
|---|---|
| Date Public: | 2014-08-19 Date First Published: |
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.076 Low
EPSS
Percentile
94.2%