The Fortinet FortiOS management console running on the remote host is affected by a remote code execution vulnerability, known as EGREGIOUSBLUNDER, in its web interface due to improper validation when parsing cookies. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to cause a buffer overflow condition, resulting in a denial of service condition or the execution of arbitrary code.
EGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.
Note that this plugin attempts to kill the httpsd process, which appears to restart after termination. Additionally, this plugin requires report paranoia as it relies on a missing server response to indicate a vulnerable status, which may or may not be reliable.
{"id": "FORTIOS_COOKIE_PARSING_BOF.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "Fortinet FortiOS Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)", "description": "The Fortinet FortiOS management console running on the remote host is affected by a remote code execution vulnerability, known as EGREGIOUSBLUNDER, in its web interface due to improper validation when parsing cookies. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to cause a buffer overflow condition, resulting in a denial of service condition or the execution of arbitrary code.\n\nEGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.\n\nNote that this plugin attempts to kill the httpsd process, which appears to restart after termination. Additionally, this plugin requires report paranoia as it relies on a missing server response to indicate a vulnerable status, which may or may not be reliable.", "published": "2016-08-29T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/93196", "reporter": "This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.", "references": ["https://fortiguard.com/psirt/FG-IR-16-023", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6909", "http://www.nessus.org/u?4c7e0cf3"], "cvelist": ["CVE-2016-6909"], "immutableFields": [], "lastseen": "2021-10-19T00:58:19", "viewCount": 2132, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-1168"]}, {"type": "cve", "idList": ["CVE-2016-6909"]}, {"type": "fortinet", "idList": ["FG-IR-16-023"]}, {"type": "nessus", "idList": ["FORTIOS_FG-IR-16-023.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105875", "OPENVAS:1361412562310105886"]}, {"type": "zdt", "idList": ["1337DAY-ID-25265"]}]}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-1168"]}, {"type": "cve", "idList": ["CVE-2016-6909"]}, {"type": "nessus", "idList": ["FORTIGATE_DETECT.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105886"]}, {"type": "zdt", "idList": ["1337DAY-ID-25265"]}]}, "exploitation": null, "vulnersScore": 0.0}, "pluginID": "93196", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93196);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:17\");\n\n script_cve_id(\"CVE-2016-6909\");\n script_bugtraq_id(92523);\n script_xref(name:\"EDB-ID\", value:\"40276\");\n\n script_name(english:\"Fortinet FortiOS Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)\");\n script_summary(english:\"Tries to terminate the remote httpsd.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web-based management console running on the remote host is affected\nby a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Fortinet FortiOS management console running on the remote host\nis affected by a remote code execution vulnerability, known as\nEGREGIOUSBLUNDER, in its web interface due to improper validation when\nparsing cookies. An unauthenticated, remote attacker can exploit this,\nvia a specially crafted HTTP request, to cause a buffer overflow\ncondition, resulting in a denial of service condition or the execution\nof arbitrary code.\n\nEGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2016/08/14 by a group known as the Shadow\nBrokers.\n\nNote that this plugin attempts to kill the httpsd process, which\nappears to restart after termination. Additionally, this plugin\nrequires report paranoia as it relies on a missing server response to\nindicate a vulnerable status, which may or may not be reliable.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://fortiguard.com/psirt/FG-IR-16-023\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiOS 4.1.11 / 4.2.13 / 4.3.9 / 5.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortigate_detect.nasl\");\n script_require_keys(\"www/fortios_ui\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\n\n# Use lack of response to flag vulnerability is not so reliable\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# FortiOS web gui not detected\nget_kb_item_or_exit(\"www/fortios_ui\");\n\nport = get_http_port(default:443, embedded: TRUE);\n\n# Do https only\nif(get_port_transport(port) == ENCAPS_IP)\n exit(0, \"Not testing non-https port \" + port + \".\");\n\napp_name = \"FortiOS Web Interface\";\ninstall = get_install_from_kb(appname:'fortios_ui', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\nreport_url = build_url(port:port, qs:dir);\n\n\n#\n# Request 1: Get the cookie name to use \n#\nres = http_send_recv3(\n method:'GET',\n item:'/login',\n port:port,\n exit_on_fail:TRUE\n );\n\nmatches = eregmatch(string: res[1], pattern:\"(APSCOOKIE.*?)=\");\nif(matches)\n{\n cookie_name = matches[1];\n}\nelse\n{\n exit(1, \"Failed to get APSCOOKIE name.\");\n}\n\nurl = \"/index\";\n\n#\n# Request 2: Test with a cookie having a valid length\n#\ncookie_good = cookie_name + \n'=Era=0&Payload=' +\ncrap(data:'A', length: 0x1000);\n\nres = http_send_recv3(\n method:'POST',\n item:url,\n port:port,\n add_headers: make_array(\"Cookie\", cookie_good),\n exit_on_fail: TRUE \n );\n\n#\n# Request 3: Attempt to kill httpsd\n#\ncookie_bad = cookie_name + \n'=Era=0&Payload=' +\ncrap(data:'A', length: 0x1100); \n\nres = http_send_recv3(\n method:'POST',\n item:url,\n port:port,\n add_headers: make_array(\"Cookie\", cookie_bad)\n );\n\nreq = http_last_sent_request();\n\nif(res[2])\n{\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, report_url);\n}\nelse\n{\n security_report_v4(port: port, \n severity: SECURITY_HOLE, \n generic: TRUE,\n request: make_list(req)\n );\n}\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/o:fortinet:fortios"], "solution": "Upgrade to Fortinet FortiOS 4.1.11 / 4.2.13 / 4.3.9 / 5.0 or later.", "nessusSeverity": "Critical", "cvssScoreSource": "", "vpr": {"risk factor": "Medium", "score": "6.7"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2016-08-17T00:00:00", "vulnerabilityPublicationDate": "2016-08-14T00:00:00", "exploitableWith": [], "_state": {"dependencies": 1647589307, "score": 1659703426}}
{"checkpoint_advisories": [{"lastseen": "2021-12-17T11:06:38", "description": "A remote code execution vulnerability exists in Fortinet FortiOS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-11-28T00:00:00", "type": "checkpoint_advisories", "title": "Fortinet FortiOS Remote Code Execution (CVE-2016-6909)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6909"], "modified": "2021-11-28T00:00:00", "id": "CPAI-2016-1168", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fortinet": [{"lastseen": "2022-04-28T11:51:12", "description": "FortiGate (FortiOS): \n4.3.8 and below \n4.2.12 and below \n4.1.10 and below\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-17T00:00:00", "type": "fortinet", "title": "Cookie Parser Buffer Overflow Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6909"], "modified": "2016-08-17T00:00:00", "id": "FG-IR-16-023", "href": "https://www.fortiguard.com/psirt/FG-IR-16-023", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-10-19T00:58:11", "description": "The remote FortiGate device is running a version of FortiOS that is 4.1.x prior to 4.1.11, 4.2.x prior to 4.2.13, or 4.3.x prior to 4.3.9. It is, therefore, affected by a remote code execution vulnerability, known as EGREGIOUSBLUNDER, in the web interface due to improper validation when parsing cookies. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to cause a buffer overflow condition, resulting in a denial of service condition or the execution of arbitrary code. \n\n\nEGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-08-26T00:00:00", "type": "nessus", "title": "Fortinet FortiOS 4.1.x < 4.1.11 / 4.2.x < 4.2.13 / 4.3.x < 4.3.9 Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6909"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "FORTIOS_FG-IR-16-023.NASL", "href": "https://www.tenable.com/plugins/nessus/93128", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93128);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2016-6909\");\n script_bugtraq_id(92523);\n script_xref(name:\"EDB-ID\", value:\"40276\");\n\n script_name(english:\"Fortinet FortiOS 4.1.x < 4.1.11 / 4.2.x < 4.2.13 / 4.3.x < 4.3.9 Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)\");\n script_summary(english:\"Checks version of FortiOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote FortiGate device is running a version of FortiOS that is\n4.1.x prior to 4.1.11, 4.2.x prior to 4.2.13, or 4.3.x prior to 4.3.9. \nIt is, therefore, affected by a remote code execution vulnerability,\nknown as EGREGIOUSBLUNDER, in the web interface due to improper\nvalidation when parsing cookies. An unauthenticated, remote attacker\ncan exploit this, via a specially crafted HTTP request, to cause a\nbuffer overflow condition, resulting in a denial of service condition\nor the execution of arbitrary code. \n\n\nEGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2016/08/14 by a group known as the Shadow\nBrokers.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://fortiguard.com/psirt/FG-IR-16-023\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiOS 4.1.11 / 4.2.13 / 4.3.9 / 5.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2016/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2016/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/model\", \"Host/Fortigate/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"FortiOS\";\n\nversion = get_kb_item_or_exit(\"Host/Fortigate/version\");\nmodel = get_kb_item_or_exit(\"Host/Fortigate/model\");\n\n# Make sure device is FortiGate\nif (!preg(string:model, pattern:\"fortigate\", icase:TRUE)) audit(AUDIT_HOST_NOT, \"a FortiGate\");\n\nif (version =~ \"^4\\.1\\.\") fix = \"4.1.11\";\nelse if (version =~ \"^4\\.2\\.\") fix = \"4.2.13\";\nelse if (version =~ \"^4\\.3\\.\") fix = \"4.3.9\";\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(severity:SECURITY_HOLE, extra:report, port:0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T15:03:19", "description": "Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9 and FortiSwitch before 3.4.3 allows remote attackers to execute arbitrary code via a crafted HTTP request, aka EGREGIOUSBLUNDER.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-24T16:30:00", "type": "cve", "title": "CVE-2016-6909", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6909"], "modified": "2019-05-22T15:06:00", "cpe": ["cpe:/o:fortinet:fortiswitch:3.4.2"], "id": "CVE-2016-6909", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6909", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:fortinet:fortiswitch:3.4.2:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:35:48", "description": "FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability.", "cvss3": {}, "published": "2016-08-18T00:00:00", "type": "openvas", "title": "FortiOS: Cookie Parser Buffer Overflow Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6909"], "modified": "2018-10-25T00:00:00", "id": "OPENVAS:1361412562310105875", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105875", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fortigate_FG-IR-16-023.nasl 12096 2018-10-25 12:26:02Z asteins $\n#\n# FortiOS: Cookie Parser Buffer Overflow Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:fortinet:fortigate\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105875\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12096 $\");\n script_cve_id(\"CVE-2016-6909\");\n\n script_name(\"FortiOS: Cookie Parser Buffer Overflow Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://fortiguard.com/psirt/FG-IR-16-023\");\n\n script_tag(name:\"impact\", value:\"This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Upgrade to release 5.x.\nUpgrade to release 4.3.9 or above for models not compatible with FortiOS 5.x.\");\n\n script_tag(name:\"summary\", value:\"FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability.\");\n\n script_tag(name:\"affected\", value:\"FortiGate (FOS):\n\n4.3.8 and below\n\n4.2.12 and below\n\n4.1.10 and below\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-18 11:05:04 +0200 (Thu, 18 Aug 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"FortiOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_fortigate_version.nasl\");\n script_mandatory_keys(\"fortigate/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\nif( version =~ \"^4\\.1\\.\" ) fix = '4.1.11';\nif( version =~ \"^4\\.2\\.\" ) fix = '4.2.13';\nif( version =~ \"^4\\.3\\.\" ) fix = '4.3.9';\n\nif( ! fix ) exit( 99 );\n\nif( version_is_less( version:version, test_version:fix ) )\n{\n report = report_fixed_ver( installed_version:version, fixed_version:fix );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T17:21:47", "description": "FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability.", "cvss3": {}, "published": "2016-09-06T00:00:00", "type": "openvas", "title": "FortiOS: Cookie Parser Buffer Overflow Vulnerability (remote check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6909"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310105886", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105886", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# FortiOS: Cookie Parser Buffer Overflow Vulnerability (remote check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105886\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2016-6909\");\n script_name(\"FortiOS: Cookie Parser Buffer Overflow Vulnerability (remote check)\");\n\n script_xref(name:\"URL\", value:\"https://fortiguard.com/psirt/FG-IR-16-023\");\n\n script_tag(name:\"impact\", value:\"This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.\");\n\n script_tag(name:\"vuldetect\", value:\"Check the Etag\");\n\n script_tag(name:\"solution\", value:\"Upgrade to release 5.x.\nUpgrade to release 4.3.9 or above for models not compatible with FortiOS 5.x.\");\n\n script_tag(name:\"summary\", value:\"FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability.\");\n\n script_tag(name:\"affected\", value:\"FortiGate (FOS):\n\n4.3.8 and below\n\n4.2.12 and below\n\n4.1.10 and below\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-09-06 11:28:49 +0200 (Tue, 06 Sep 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_mandatory_keys(\"ETag/banner\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\ninclude(\"misc_func.inc\");\n\nport = http_get_port( default:443 );\n\nbanner = http_get_remote_headers( port:port );\nif( ! banner || \"ETag\" >!< banner ) exit( 0 );\n\netag = eregmatch( pattern:'ETag: \"([^\"]+)\"', string:banner );\nif( isnull(etag[1] ) ) exit( 0 );\n\netag = split( etag[1], sep:\"-\", keep:FALSE );\nif( ( max_index( etag ) < 3 ) ) exit( 0 );\n\net = etag[2];\nif( strlen( et ) != 8 ) exit( 0 );\n\netags = make_list( \"44443fd4\",\"44c526c5\",\"45a3ea60\",\"45baacf4\",\"45f0af67\",\"47e0669f\",\"468abbad\",\"46c6166d\",\n \"46df457c\",\"4602cf97\",\"463b99a6\",\"468cad93\",\"46d9607c\",\"47b355de\",\"489129e7\",\"443ede0d\",\n \"44c52c4f\",\"452184d7\",\"45a3f01e\",\"45bab263\",\"45f0b580\",\"4602cfe5\",\"463b9965\",\"468cbb86\",\n \"46d9672a\",\"471d2e73\",\"47b355da\",\"47e06d95\",\"48912069\",\"468ac1d0\",\"46a7ad09\",\"46c61f79\",\n \"46df4da9\",\"4717beff\",\"474b9480\",\"47bcda2f\",\"48b30fac\",\"490bb64e\",\"47a3f4ee\",\"47df4682\",\n \"482b72f5\",\"488fa68e\",\"49064b4d\",\"49ae1d20\",\"487e7a57\",\"48d43154\",\"49273663\",\"49ade40f\",\n \"49c45c70\",\"49dd033a\",\"4a4a955b\",\"4ace863a\",\"4b3185d6\",\"4b7c8347\",\"4cc1d9e0\",\"4a384886\",\n \"4b0f40be\",\"4a8de859\",\"4ade3518\",\"4b318abd\",\"4b58d924\",\"4ba3e7e6\",\"4c22a3f3\",\"4c2a8446\",\n \"4c88306f\",\"4ca38e08\",\"4d435410\",\"4dfaabba\",\"ff80c272\",\"ff80c279\",\"4c74581f\",\"4d083087\",\n \"4d6d53b0\",\"4d93bdf9\",\"4dae0eb8\",\"4dd6af49\",\"4e2496ed\",\"4d84169e\",\"4e090fe3\",\"44443ed6\",\n \"44c52afa\",\"4522b784\",\"45500063\",\"45a3f02e\",\"45bab272\",\"45f0ba4d\",\"460d7a1f\",\"463aa4d2\",\n \"46806d0b\",\"46cb9bfc\",\"47e06dbe\",\"48913626\",\"45948af9\",\"45a6f4c1\",\"45ba73c7\",\"45f1c561\",\n \"460d88a0\",\"468ac251\",\"468321e2\",\"46c61fcf\",\"46df4e86\",\"4717c14d\",\"474b9d17\",\"47bcdc5c\",\n \"48b312ee\",\"490bb6a0\",\"47a3f5a7\",\"47df4721\",\"482b7090\",\"488faa33\",\"49064b4b\",\"49ae254b\",\n \"49ffa204\",\"487e7ecc\",\"48d43248\",\"492737d4\",\"49adeaae\",\"49c45cd3\",\"49dd05b9\",\"4a4aec23\",\n \"4acfd94e\",\"4b328455\",\"4b7c709c\",\"4cc85189\",\"499f3750\",\"49db8b32\",\"4a37e55a\",\"4b16d0ce\",\n \"4a8de79b\",\"4ade32fe\",\"4b318bb4\",\"4b58d9e4\",\"4ba3e887\",\"4c22a8f5\",\"4c2a8e5f\",\"4c882f51\",\n \"4ca39510\",\"4d4359e1\",\"4dfab1c1\",\"ff2a0272\",\"ff2a0279\",\"4c746630\",\"4d083771\",\"4d6d57f7\",\n \"4d93c93e\",\"4dae1c33\",\"4dd6be44\",\"4e24a35c\",\"4d8404a9\",\"4e08fc94\",\"443ed96e\",\"44c52523\",\n \"4522a9b7\",\"454ff829\",\"45a3eee4\",\"45baafe1\",\"45f0b528\",\"460d78e2\",\"463a9d82\",\"468066d7\",\n \"46cb9803\",\"47e06db5\",\"48913369\",\"45948486\",\"45a6ed51\",\"45ba6c80\",\"45f1bee7\",\"460d84ba\",\n \"468ac195\",\"46831ae7\",\"46c61d81\",\"46df4be9\",\"4717b955\",\"474b9368\",\"47bce039\",\"48b309de\",\n \"490bb553\",\"47a3eb7d\",\"47df39f8\",\"482b665b\",\"488f9d9e\",\"49063f0f\",\"49ae0f61\",\"49ff87ee\",\n \"487e6e64\",\"48d42a0e\",\"49272ac0\",\"49adcf83\",\"49c4428a\",\"49dcea97\",\"4a4ac8a2\",\"4acfb690\",\n \"4b329ac9\",\"4b7c0774\",\"4cc85360\",\"499f36b3\",\"49db8a40\",\"4a37e407\",\"4b16ce6b\",\"4a8de5fb\",\n \"4ade33db\",\"4b318b1d\",\"4b58d915\",\"4ba3e740\",\"4c22a3f3\",\"4c2a87f3\",\"4c88270e\",\"4ca3911b\",\n \"4d4348f3\",\"4dfaabc1\",\"ff3a0272\",\"ff3a0279\",\"4c745c40\",\"4d082d04\",\"4d6d537d\",\"4d93ba56\",\n \"4dae0ccf\",\"4dd6af6d\",\"4e2496d3\",\"4d83fb16\",\"4e08f34e\",\"45218416\",\"454ffff6\",\"45a3f2a2\",\n \"45bab65e\",\"45f0bb96\",\"482b785e\",\"490651ca\",\"487e7fcd\",\"48d438a9\",\"49273e0c\",\"49adecc7\",\n \"49c471d3\",\"49dd07b8\",\"4a4aeee3\",\"499f381f\",\"49db8b9d\",\"4a37e5ed\",\"4b16d150\",\"4a8de874\",\n \"4ade3634\",\"4b318c6f\",\"4b58da4a\",\"4ba3ea3a\",\"4c22abac\",\"4c2a8b64\",\"4c88304b\",\"4ca394e0\",\n \"4d435b90\",\"4dfab44e\",\"ff4a0272\",\"ff4a0279\",\"4c746382\",\"4d083d66\",\"4d6d6086\",\"4d93cef4\",\n \"4dae1d25\",\"4dd6bce0\",\"4e24a478\",\"4fd0169d\",\"4d840fc3\",\"4e08fe48\",\"48d434a1\",\"499f37d5\",\n \"49db8c53\",\"4a37e619\",\"4b16d14f\",\"4a8de872\",\"4ade35c8\",\"4b318c8f\",\"4b58d602\",\"4ba3ea39\",\n \"ff5a0272\",\"48ebf4e5\",\"49a726b1\",\"49c2f6eb\",\"49d50ba6\",\"4a4972e5\",\"4acf7bf4\",\"4b317cd0\",\n \"4b7c83e9\",\"4cc07c21\",\"499f3876\",\"49db8a8c\",\"4a37e799\",\"4b16ce32\",\"4a8de5dd\",\"4ade354e\",\n \"4b31890b\",\"4b58d766\",\"4ba3e517\",\"4c22a1af\",\"4c2a8997\",\"4c882a6e\",\"4ca38e77\",\"4d434d71\",\n \"4dfaaa8e\",\"ff6b0272\",\"ff6b0279\",\"4c745805\",\"4d0830cf\",\"4d6d4f28\",\"4d93c137\",\"4dae0619\",\n \"4dd6af65\",\"4e2494a1\",\"4d8402ca\",\"4e090c3c\",\"443ed9bc\",\"44c524a6\",\"45217d85\",\"45a3e9c5\",\n \"45baac66\",\"45f0aeca\",\"460d732c\",\"463a98c5\",\"46806671\",\"46cb95bb\",\"47e0676b\",\"48912cc2\",\n \"459484d8\",\"45a6eda3\",\"45ba6ce1\",\"45f1bf6b\",\"460d8176\",\"468abbd8\",\"4683142d\",\"46c618cd\",\n \"46df475e\",\"4717baf9\",\"474b9010\",\"47bcd6f0\",\"48b30c5e\",\"490bb4a5\",\"47a3e919\",\"47df3b36\",\n \"482b67a1\",\"488f9d2b\",\"49063c22\",\"49ae068e\",\"49ff8382\",\"487e6b1d\",\"48d4212c\",\"4927278f\",\n \"49adc356\",\"49c43b4e\",\"49dcde89\",\"4a4ac12f\",\"4acfae3e\",\"4b32925e\",\"4b7bff1f\",\"4cc8529a\",\n \"499f3690\",\"49db8a5a\",\"4a37e3fe\",\"4b16ce96\",\"4a8de623\",\"4ade32d7\",\"4b318927\",\"4b58d762\",\n \"4ba3e573\",\"4c229fca\",\"4c2a82c9\",\"4c882661\",\"4ca391ed\",\"4d434fb7\",\"4dfaabbb\",\"ff800272\",\n \"ff800279\",\"4c74569a\",\"4d082af0\",\"4d6d5188\",\"4d93ba54\",\"4dae0da0\",\"4dd6af1e\",\"4e2496ea\",\n \"4d84181e\",\"4e090fbe\",\"45a6edd5\",\"82ffffff\",\"83ffffff\",\"45217ec9\",\"49064d61\",\"46d96863\",\n \"49d11af3\",\"46cb9c1e\",\"4acff334\" );\n\nif( in_array( search:et, array:etags ) )\n{\n report = 'The Etag \"' + et + '\" of the remote Forti device was found in the \"EGBL.config\" and therefore the device is affected by a security bypass.';\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 0 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-11T15:03:24", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2016-08-19T00:00:00", "type": "zdt", "title": "Fortigate Firewalls - 'EGREGIOUSBLUNDER' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6909"], "modified": "2016-08-19T00:00:00", "id": "1337DAY-ID-25265", "href": "https://0day.today/exploit/description/25265", "sourceData": "# Exploit Title: Fortigate Firewalls - Remote Code Execution (EGREGIOUSBLUNDER)\r\n# Date: 19-08-2016\r\n# Exploit Author: Shadow Brokers\r\n# Vendor Homepage: https://www.fortinet.com/products/fortigate/\r\n \r\n \r\nFull Exploit:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40276.zip\n\n# 0day.today [2018-04-11] #", "sourceHref": "https://0day.today/exploit/25265", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}