Lucene search

HistoryMay 26, 2015 - 12:00 a.m.

Fortinet FortiManager 5.0.x < 5.0.11 / 5.2.x < 5.2.2 Multiple Vulnerabilities (FG-IR-15-011)

2015-05-2600:00:00

www.tenable.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.2%

JSON

The remote host is running a version of FortiManager that is 5.0.x prior to 5.0.11 or 5.2.x prior 5.2.2. It is, therefore, affected by multiple vulnerabilities :

An unspecified flaw exists that allows an unauthenticated, remote attacker to inject arbitrary OS commands. (CVE-2015-3611)
A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to execute arbitrary script code in a user’s browser session. (CVE-2015-3612)
An unspecified SQL injection vulnerability exists due to improper sanitization of user-supplied input before using it in SQL queries.
An unspecified local privilege escalation vulnerability exists in the command line interface.
A cross-site scripting vulnerability exists due to improper validation of user profile information.
An unspecified arbitrary file download vulnerability exists. An attacker can exploit this to disclose sensitive information.
An unspecified remote privilege escalation vulnerability exists. An attacker can exploit this by modifying specific parameters.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83812);
  script_version("1.9");
  script_cvs_date("Date: 2019/01/02 11:18:37");

  script_cve_id("CVE-2015-3611", "CVE-2015-3612");
  script_bugtraq_id(74444);

  script_name(english:"Fortinet FortiManager 5.0.x < 5.0.11 / 5.2.x < 5.2.2 Multiple Vulnerabilities (FG-IR-15-011)");
  script_summary(english:"Checks the version of FortiManager.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of FortiManager that is 5.0.x
prior to 5.0.11 or 5.2.x prior 5.2.2. It is, therefore, affected by
multiple vulnerabilities :

  - An unspecified flaw exists that allows an
    unauthenticated, remote attacker to inject arbitrary OS
    commands. (CVE-2015-3611)

  - A cross-site scripting (XSS) vulnerability exists due to
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this, by
    convincing a user to follow a specially crafted link, to
    execute arbitrary script code in a user's browser
    session. (CVE-2015-3612)

  - An unspecified SQL injection vulnerability exists due to
    improper sanitization of user-supplied input before
    using it in SQL queries.

  - An unspecified local privilege escalation vulnerability
    exists in the command line interface.

  - A cross-site scripting vulnerability exists due to
    improper validation of user profile information.

  - An unspecified arbitrary file download vulnerability
    exists. An attacker can exploit this to disclose
    sensitive information.

  - An unspecified remote privilege escalation
    vulnerability exists. An attacker can exploit this by
    modifying specific parameters.");
  script_set_attribute(attribute:"see_also", value:"https://fortiguard.com/psirt/FG-IR-15-011");
  script_set_attribute(attribute:"see_also", value:"https://docs.fortinet.com/fortimanager/release-information");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Fortinet FortiManager version 5.0.11 / 5.2.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortimanager_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("fortinet_version.nbin");
  script_require_keys("Host/Fortigate/model", "Host/Fortigate/version", "Host/Fortigate/build");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

model   = get_kb_item_or_exit("Host/Fortigate/model");
version = get_kb_item_or_exit("Host/Fortigate/version");
build   = get_kb_item_or_exit("Host/Fortigate/build");

app_name = NULL;
vuln     = FALSE;

# Make sure device is FortiManager
match = eregmatch(string:model, pattern:"(fortimanager)", icase:TRUE);
if (!isnull(match[1]))
  app_name = match[1];
else
  audit(AUDIT_HOST_NOT, "a FortiManager device");

if (version =~ "^5\.2($|\.)")
{
  fix = "5.2.2";
  fix_build = "706";
}
else if (version =~ "^5\.0($|\.)")
{
  fix = "5.0.11";
  fix_build = "Unknown";
}
else
  audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

# If build number is available, this is the safest comparison.
# Otherwise compare version numbers.
if (build !~ "Unknown" && fix_build !~ "Unknown")
{
  if (int(build) < int(fix_build)) vuln = TRUE;
}
else if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1) vuln = TRUE;

if (vuln)
{
  port = 0;

  set_kb_item(name:"www/"+port+"/XSS", value:TRUE);
  set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);

  if (report_verbosity > 0)
  {
    report =
      '\n  Model             : ' + model +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fix +
      '\n';

    security_hole(extra:report, port:port);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3611

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3612

docs.fortinet.com/fortimanager/release-information

fortiguard.com/psirt/FG-IR-15-011

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.2%

JSON

Related for FORTINET_FG-IR-15-011.NASL