Sign-up

ID

VAR-200512-0019


CVE

CVE-2005-3058


TITLE

Fortinet FortiGate URL Check for filter bypass vulnerabilities

Trust: 0.6

sources: CNNVD: CNNVD-200512-899

DESCRIPTION

Interpretation conflict in Fortinet FortiGate 2.8, running FortiOS 2.8MR10 and v3beta, allows remote attackers to bypass the URL blocker via an (1) HTTP request terminated with a line feed (LF) and not carriage return line feed (CRLF) or (2) HTTP request with no Host field, which is still processed by most web servers without violating RFC2616. Fortinet FortiGate is prone to a vulnerability that could allow users to bypass the device's URL filtering. FortiGate devices running FortiOS v2.8MR10 and v3beta are vulnerable to this issue. Other versions may also be affected. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. TITLE: FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities SECUNIA ADVISORY ID: SA18844 VERIFY ADVISORY: http://secunia.com/advisories/18844/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Fortinet FortiOS (FortiGate) 2.x http://secunia.com/product/2289/ Fortinet FortiOS (FortiGate) 3.x http://secunia.com/product/6802/ DESCRIPTION: Mathieu Dessus has reported two vulnerabilities in FortiGate, which can be exploited by malicious people and users to bypass certain security restrictions. 1) The URL blocking functionality can be bypassed by specially-crafted HTTP requests that are terminated by the CR character instead of the CRLF characters. It is also possible to bypass the functionality via a HTTP/1.0 request with no host header. The vulnerability has been reported in FortiOS v2.8MR10 and v3beta. 2) The virus scanning functionality can be bypassed when sending files over FTP under certain conditions. The vulnerability has been reported in FortiOS v2.8MR10 and v3beta. SOLUTION: Do not rely on URL blocking as the only means of blocking users' access. Desktop-based on-access virus scanners should be used together with server-based virus scanners. PROVIDED AND/OR DISCOVERED BY: Mathieu Dessus ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042139.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042140.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.35

sources: NVD: CVE-2005-3058 // BID: 16599 // VULHUB: VHN-14267 // PACKETSTORM: 43767

AFFECTED PRODUCTS

vendor:fortinetmodel:fortigatescope:eqversion:2.8

Trust: 1.6

vendor:fortinetmodel:fortiosscope:lteversion:3_beta

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:2.8_mr10

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:2.8_mr10

Trust: 0.6

vendor:fortinetmodel:fortiosscope:eqversion:3_beta

Trust: 0.6

vendor:fortinetmodel:fortios betascope:eqversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.80

Trust: 0.3

vendor:fortinetmodel:fortios mr5scope:eqversion:2.50

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.50

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:2.36

Trust: 0.3

vendor:fortinetmodel:fortios mr10scope:eqversion:2.8

Trust: 0.3

vendor:fortinetmodel:fortios 0mr4scope:eqversion:2.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:3.0

Trust: 0.3

vendor:fortinetmodel:fortios mr12scope:neversion:2.80

Trust: 0.3

sources: BID: 16599 // CNNVD: CNNVD-200512-899 // NVD: CVE-2005-3058

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2005-3058
value: HIGH

Trust: 1.0

CNNVD: CNNVD-200512-899
value: HIGH

Trust: 0.6

VULHUB: VHN-14267
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2005-3058
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-14267
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-14267 // CNNVD: CNNVD-200512-899 // NVD: CVE-2005-3058

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.1

sources: VULHUB: VHN-14267 // NVD: CVE-2005-3058

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200512-899

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-200512-899

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-14267

EXTERNAL IDS
db:NVDid:CVE-2005-3058
Trust: 2.0
db:BIDid:16599
Trust: 2.0
db:SECUNIAid:18844
Trust: 1.8
db:VUPENid:ADV-2006-0539
Trust: 1.7
db:CNNVDid:CNNVD-200512-899
Trust: 0.7
db:XFid:24626
Trust: 0.6
db:FULLDISCid:20060213 URL FILTER BYPASS IN FORTINET
Trust: 0.6
db:BUGTRAQid:20060213 URL FILTER BYPASS IN FORTINET
Trust: 0.6
db:NSFOCUSid:8486
Trust: 0.6
db:EXPLOIT-DBid:27203
Trust: 0.1
db:SEEBUGid:SSVID-80820
Trust: 0.1
db:VULHUBid:VHN-14267
Trust: 0.1
db:PACKETSTORMid:43767
Trust: 0.1
sources:
            
            
            VULHUB: VHN-14267 // 
            
            
            
            BID: 16599 // 
            
            
            
            PACKETSTORM: 43767 // 
            
            
            
            CNNVD: CNNVD-200512-899 // 
            
            
            
            NVD: CVE-2005-3058

REFERENCES
url:http://lists.grok.org.uk/pipermail/full-disclosure/2006-february/042140.html
Trust: 1.8
url:http://www.securityfocus.com/bid/16599
Trust: 1.7
url:http://www.fortiguard.com/advisory/fga-2006-10.html
Trust: 1.7
url:http://secunia.com/advisories/18844
Trust: 1.7
url:http://www.securityfocus.com/archive/1/424858/100/0/threaded
Trust: 1.1
url:http://www.vupen.com/english/advisories/2006/0539
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/24626
Trust: 1.1
url:http://xforce.iss.net/xforce/xfdb/24626
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/424858/100/0/threaded
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2006/0539
Trust: 0.6
url:http://www.nsfocus.net/vulndb/8486
Trust: 0.6
url:http://fortinet.com/fortiguardcenter/url_vuln.html
Trust: 0.3
url:http://www.fortinet.com/
Trust: 0.3
url:/archive/1/485794
Trust: 0.3
url:/archive/1/485813
Trust: 0.3
url:/archive/1/424858
Trust: 0.3
url:http://secunia.com/product/6802/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://lists.grok.org.uk/pipermail/full-disclosure/2006-february/042139.html
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://secunia.com/advisories/18844/
Trust: 0.1
url:http://secunia.com/product/2289/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-14267 // 
            
            
            
            BID: 16599 // 
            
            
            
            PACKETSTORM: 43767 // 
            
            
            
            CNNVD: CNNVD-200512-899 // 
            
            
            
            NVD: CVE-2005-3058

CREDITS
Mathieu Dessus  mdessus@gmail.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200512-899

SOURCES
db:VULHUBid:VHN-14267
db:BIDid:16599
db:PACKETSTORMid:43767
db:CNNVDid:CNNVD-200512-899
db:NVDid:CVE-2005-3058

LAST UPDATE DATE
2024-08-14T14:00:32.223000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-14267date:2018-10-19T00:00:00
db:BIDid:16599date:2008-01-04T20:19:00
db:CNNVDid:CNNVD-200512-899date:2009-09-05T00:00:00
db:NVDid:CVE-2005-3058date:2018-10-19T15:34:32.297

SOURCES RELEASE DATE
db:VULHUBid:VHN-14267date:2005-12-31T00:00:00
db:BIDid:16599date:2006-02-13T00:00:00
db:PACKETSTORMid:43767date:2006-02-13T19:29:16
db:CNNVDid:CNNVD-200512-899date:2005-12-31T00:00:00
db:NVDid:CVE-2005-3058date:2005-12-31T05:00:00