Details of VAR-201404-0126

ID

VAR-201404-0126

CVE

CVE-2013-6990

TITLE

FortiGuard FortiAuthenticator Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2013-006382

DESCRIPTION

FortiGuard FortiAuthenticator before 3.0 allows remote administrators to gain privileges via the command line interface. Fortinet FortiAuthenticator is prone to an unspecified local privilege-escalation. Local attackers can exploit this issue to gain access to the system shell and run arbitrary shell commands with elevated privileges. Fortinet FortiAuthenticator 1.x and 2.x are vulnerable. FortiGuard FortiAuthenticator is a series of security authentication software from Fortinet. It can be combined with FortiToken (two-factor authentication token) to provide secure two-factor authentication to third-party devices authenticated by RADIUS or LDAP. A security vulnerability exists in FortiGuard FortiAuthenticator 2.2 and earlier versions

Trust: 1.98

sources: NVD: CVE-2013-6990 // JVNDB: JVNDB-2013-006382 // BID: 64610 // VULHUB: VHN-66992

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortiauthenticator	scope:	lte	version:	2.2	Trust: 1.0
vendor:	fortinet	model:	fortiauthenticator	scope:	lt	version:	3.0	Trust: 0.8
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	2.2	Trust: 0.6
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	2.0	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	eq	version:	1.0	Trust: 0.3
vendor:	fortinet	model:	fortiauthenticator	scope:	ne	version:	3.0	Trust: 0.3

sources: BID: 64610 // JVNDB: JVNDB-2013-006382 // CNNVD: CNNVD-201401-057 // NVD: CVE-2013-6990

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-6990
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-6990
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201401-057
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-66992
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-6990
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-66992
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-66992 // JVNDB: JVNDB-2013-006382 // CNNVD: CNNVD-201401-057 // NVD: CVE-2013-6990

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-66992 // JVNDB: JVNDB-2013-006382 // NVD: CVE-2013-6990

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-057

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201401-057

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-006382

PATCH

title:

FortiAuthenticator Privilege Escalation Vulnerability

url:

http://www.fortiguard.com/advisory/FG-IR-13-016/

Trust: 0.8

sources: JVNDB: JVNDB-2013-006382

EXTERNAL IDS

db:	NVD	id:	CVE-2013-6990	Trust: 2.8
db:	BID	id:	64610	Trust: 1.0
db:	JVNDB	id:	JVNDB-2013-006382	Trust: 0.8
db:	CNNVD	id:	CNNVD-201401-057	Trust: 0.7
db:	VULHUB	id:	VHN-66992	Trust: 0.1

sources: VULHUB: VHN-66992 // BID: 64610 // JVNDB: JVNDB-2013-006382 // CNNVD: CNNVD-201401-057 // NVD: CVE-2013-6990

REFERENCES

url:	http://www.fortiguard.com/advisory/fg-ir-13-016/	Trust: 2.0
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/96200	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6990	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6990	Trust: 0.8
url:	http://www.securityfocus.com/bid/64610	Trust: 0.6
url:	http://www.fortinet.com/products/fortiauthenticator/	Trust: 0.3

sources: VULHUB: VHN-66992 // BID: 64610 // JVNDB: JVNDB-2013-006382 // CNNVD: CNNVD-201401-057 // NVD: CVE-2013-6990

CREDITS

Yvan Janssens

Trust: 0.9

sources: BID: 64610 // CNNVD: CNNVD-201401-057

SOURCES

db:	VULHUB	id:	VHN-66992
db:	BID	id:	64610
db:	JVNDB	id:	JVNDB-2013-006382
db:	CNNVD	id:	CNNVD-201401-057
db:	NVD	id:	CVE-2013-6990

LAST UPDATE DATE

2024-08-14T14:34:10.173000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-66992	date:	2017-08-29T00:00:00
db:	BID	id:	64610	date:	2013-12-15T00:00:00
db:	JVNDB	id:	JVNDB-2013-006382	date:	2014-05-02T00:00:00
db:	CNNVD	id:	CNNVD-201401-057	date:	2014-05-06T00:00:00
db:	NVD	id:	CVE-2013-6990	date:	2017-08-29T01:34:02.403

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-66992	date:	2014-04-30T00:00:00
db:	BID	id:	64610	date:	2013-12-15T00:00:00
db:	JVNDB	id:	JVNDB-2013-006382	date:	2014-05-02T00:00:00
db:	CNNVD	id:	CNNVD-201401-057	date:	2013-12-15T00:00:00
db:	NVD	id:	CVE-2013-6990	date:	2014-04-30T14:22:05.860