The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of FGT

computer vulnerability bulletin CVE-2013-6990

FortiAuthenticator: shell execution

Synthesis of the vulnerability

A privileged attacker can inject a command in FortiAuthenticator, in order to execute a shell command on the server.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 1/4.
Creation date: 17/12/2013.
Identifiers: BID-64610, CVE-2013-6990, FG-IR-13-016, VIGILANCE-VUL-13958.

Description of the vulnerability

The FortiAuthenticator product provides a command line to the administrator.

However, the administrator can escape a FortiAuthenticator command, so it is inserted in a shell command.

A privileged attacker can therefore inject a command in FortiAuthenticator, in order to execute a shell command on the server.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability note CVE-2013-1414

FortiGate: Cross Site Request Forgery of System-Settings and Firewall-Policies

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery in System-Settings and Firewall-Policies of FortiGate, in order to force the victim to perform operations.
Impacted products: FortiGate, FortiOS.
Severity: 2/4.
Creation date: 02/07/2013.
Identifiers: BID-60861, CVE-2013-1414, FGA-2013-22, VIGILANCE-VUL-13029.

Description of the vulnerability

The web interface of FortiGate is used to modify the configuration (System-Settings) and the security policy (Firewall-Policies).

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery in System-Settings and Firewall-Policies of FortiGate, in order to force the victim to perform operations.
Complete Vigil@nce bulletin.... (free trial)

vulnerability note CVE-2013-4604

FortiGate: privilege escalation

Synthesis of the vulnerability

An attacker can use the Guest account of FortiGate, in order to read and modify data related to others users.
Impacted products: FortiGate, FortiOS.
Severity: 2/4.
Creation date: 17/06/2013.
Identifiers: BID-60571, CVE-2013-4604, FGA-2013-22, VIGILANCE-VUL-12984.

Description of the vulnerability

An attacker can use the Guest account of FortiGate, in order to read and modify data related to others users.

Technical details are unknown.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability note CVE-2012-4948

FortiGate: man-in-the-middle attack

Synthesis of the vulnerability

When the administrator did not change the default certification authority for SSL/TLS inspection of FortiGate, an attacker can create a fake server/proxy and intercept user's data.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Creation date: 05/11/2012.
Identifiers: BID-56382, CVE-2012-4948, VIGILANCE-VUL-12109, VU#111708.

Description of the vulnerability

The FortiGate product can inspect SSL/TLS streams. In order to do so, it has a certification authority, and signs new server certificates. The client, who accepted this certification authority, sees no warning in his web browser.

However, the certification authority (public and private keys) is the same on all FortiGate. An attacker, who has access to one FortiGate can therefore obtain the private key. He can then create malicious server certificates, and sign them, so that users do not see a warning when connecting to the server.

When the administrator did not change the default certification authority for SSL/TLS inspection of FortiGate, an attacker can therefore create a fake server/proxy and intercept user's data.
Complete Vigil@nce bulletin.... (free trial)

vulnerability 11940

FortiGate: several Cross Site Scripting

Synthesis of the vulnerability

An attacker can use several vulnerabilities of FortiGate appliances, in order to execute script code in privileged contexts.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Creation date: 13/09/2012.
Identifiers: BID-55591, VIGILANCE-VUL-11940.

Description of the vulnerability

FortiGate appliances have a web interface.

However, the "mkey", "context", "title" and "msg" parameters are not filtered before being injected in generated HTML pages.

An attacker can therefore use several Cross Site Scripting of FortiGate appliances, in order to execute script code in privileged contexts.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability note 11939

FortiGate: several Cross Site Scripting

Synthesis of the vulnerability

An attacker can use several vulnerabilities of FortiGate appliances, in order to execute script code in privileged contexts.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Creation date: 13/09/2012.
Identifiers: BID-55529, VIGILANCE-VUL-11939.

Description of the vulnerability

FortiGate appliances have a web interface.

However, these interfaces do not correctly filter their Add or Tag parameters. An attacker can then store script code, which is executed on each visit, and thus generate a Cross Site Scripting on visitor's computer.

An attacker can therefore use several vulnerabilities of FortiGate appliances, in order to execute script code in privileged contexts.
Complete Vigil@nce bulletin.... (free trial)

vulnerability note CVE-2012-1420 CVE-2012-1423 CVE-2012-1425

Fortinet FortiGate: bypassing via CAB, CHM, ELF, EXE, Office, RAR, TAR, ZIP

Synthesis of the vulnerability

An attacker can create an archive or a program containing a virus, which is not detected by Fortinet FortiGate.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Creation date: 21/03/2012.
Identifiers: BID-52580, BID-52588, BID-52595, BID-52598, BID-52600, BID-52601, BID-52602, BID-52604, BID-52605, BID-52606, BID-52608, BID-52612, BID-52613, BID-52615, BID-52621, BID-52623, BID-52626, CVE-2012-1420, CVE-2012-1423, CVE-2012-1425, CVE-2012-1439, CVE-2012-1440, CVE-2012-1442, CVE-2012-1443, CVE-2012-1444, CVE-2012-1445, CVE-2012-1446, CVE-2012-1447, CVE-2012-1453, CVE-2012-1454, CVE-2012-1456, CVE-2012-1459, CVE-2012-1461, CVE-2012-1462, VIGILANCE-VUL-11474.

Description of the vulnerability

Tools extracting archives (CAB, TAR, ZIP, etc.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF, EXE) which are slightly malformed. However, Fortinet FortiGate does not detect viruses contained in these archives/programs.

A TAR archive containing "\7fELF" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52615, CVE-2012-1420]

A TAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52588, CVE-2012-1423]

A TAR archive containing "\50\4B\03\04" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52580, CVE-2012-1425]

An ELF program containing a large "padding" field bypasses the detection. [severity:2/4; BID-52602, CVE-2012-1439]

An ELF program containing a large "identsize" field bypasses the detection. [severity:2/4; BID-52595, CVE-2012-1440]

An EXE program containing a large "class" field bypasses the detection. [severity:2/4; BID-52598, CVE-2012-1442]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

An ELF program containing a large "abiversion" field bypasses the detection. [severity:2/4; BID-52604, CVE-2012-1444]

An ELF program containing a large "abi" field bypasses the detection. [severity:2/4; BID-52605, CVE-2012-1445]

An ELF program containing a large "encoding" field bypasses the detection. [severity:2/4; BID-52600, CVE-2012-1446]

An ELF program containing a large "e_version" field bypasses the detection. [severity:2/4; BID-52601, CVE-2012-1447]

A CAB archive containing a large "coffFiles" field bypasses the detection. [severity:1/4; BID-52621, CVE-2012-1453]

An ELF program containing a large "ei_version" field bypasses the detection. [severity:2/4; BID-52606, CVE-2012-1454]

A ZIP archive starting by TAR data bypasses the detection. [severity:1/4; BID-52608, CVE-2012-1456]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive containing two streams bypasses the detection. [severity:1/4; BID-52626, CVE-2012-1461]

A ZIP archive starting by 1024 random bytes bypasses the detection. [severity:1/4; BID-52613, CVE-2012-1462]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability CVE-2012-0941

FortiGate: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of FortiGate appliances, in order to execute script code in privileged contexts.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Creation date: 30/01/2012.
Identifiers: BID-51708, CVE-2012-0941, FGA-2012-02, VIGILANCE-VUL-11325.

Description of the vulnerability

FortiGate appliances have a web interface.

However, these interfaces do not correctly filter their parameters. An attacker can then store script code, which is executed on each visit. He can also generate a Cross Site Scripting on visitor's computer. The fields_sorted_opt parameter of user/auth/list fields_sorted_opt and endpointcompliance/app_detect/predefined_sig_list can be used as an attack vector.

The following features are impacted:
  Dailup List
  Endpoint > Monitor > Endpoint Monitor
  Endpoint > NAC > Application Database > Listings
  List field sorted
  Log&Report > Display

An attacker can therefore use several vulnerabilities of FortiGate appliances, in order to execute script code in privileged contexts.
Complete Vigil@nce bulletin.... (free trial)

vulnerability 10590

TCP, Firewalls: TCP Split Handshake

Synthesis of the vulnerability

An attacker owing a malicious server can use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client.
Impacted products: ASA, IOS Cisco, Cisco Router xx00 Series, FortiGate, FortiOS, NetScreen Firewall, ScreenOS, TCP.
Severity: 1/4.
Creation date: 21/04/2011.
Identifiers: CSCth67416, CSCtn29288, CSCtn29349, KB20877, PSN-2011-04-229, VIGILANCE-VUL-10590.

Description of the vulnerability

A TCP session initialization sequence starts with:
 - the client sends a packet with the SYN flag
 - the server answers a SYN-ACK
 - the client answers an ACK

The RFC 793 describes it in four steps (page 27, "simultaneous-open handshake"):
 - the client sends a packet with the SYN flag
 - the server answers an ACK
 - the server sends a SYN
 - the client answers an ACK

Linux, Windows and MacOS incorrectly implement the "simultaneous-open handshake":
 - the Linux/Windows/MacOS client sends a packet with the SYN flag
 - the server answers an ACK (can be ignored by the client)
 - the server sends a SYN
 - the Linux/Windows/MacOS client answers a SYN-ACK (instead of an ACK alone)
When the server answers a ACK, a firewall on the path just saw : a SYN, then a SYN-ACK and then an ACK. Some firewalls interpret these three exchanges as a connection from the server to the client.

An attacker owing a malicious server can therefore use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client. It can be noted that the firewall has an invalid internal state, but this session was initiated by the client.
Complete Vigil@nce bulletin.... (free trial)

vulnerability note 8654

FortiGate: bypassing via an archive

Synthesis of the vulnerability

An attacker can create an archive containing a virus which is not detected by FortiGate.
Impacted products: FortiGate, FortiOS.
Severity: 2/4.
Creation date: 20/04/2009.
Identifiers: BID-34583, VIGILANCE-VUL-8654.

Description of the vulnerability

An attacker can create an archive containing a virus which is not detected by FortiGate.

Technical details are unknown.
Complete Vigil@nce bulletin.... (free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about FGT: