ID

VAR-201404-0126


CVE

CVE-2013-6990


TITLE

FortiGuard FortiAuthenticator Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2013-006382

DESCRIPTION

FortiGuard FortiAuthenticator before 3.0 allows remote administrators to gain privileges via the command line interface. Fortinet FortiAuthenticator is prone to an unspecified local privilege-escalation. Local attackers can exploit this issue to gain access to the system shell and run arbitrary shell commands with elevated privileges. Fortinet FortiAuthenticator 1.x and 2.x are vulnerable. FortiGuard FortiAuthenticator is a series of security authentication software from Fortinet. It can be combined with FortiToken (two-factor authentication token) to provide secure two-factor authentication to third-party devices authenticated by RADIUS or LDAP. A security vulnerability exists in FortiGuard FortiAuthenticator 2.2 and earlier versions

Trust: 1.98

sources: NVD: CVE-2013-6990 // JVNDB: JVNDB-2013-006382 // BID: 64610 // VULHUB: VHN-66992

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiauthenticatorscope:lteversion:2.2

Trust: 1.0

vendor:fortinetmodel:fortiauthenticatorscope:ltversion:3.0

Trust: 0.8

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:2.2

Trust: 0.6

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:2.0

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:1.0

Trust: 0.3

vendor:fortinetmodel:fortiauthenticatorscope:neversion:3.0

Trust: 0.3

sources: BID: 64610 // JVNDB: JVNDB-2013-006382 // CNNVD: CNNVD-201401-057 // NVD: CVE-2013-6990

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6990
value: HIGH

Trust: 1.0

NVD: CVE-2013-6990
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201401-057
value: CRITICAL

Trust: 0.6

VULHUB: VHN-66992
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-6990
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-66992
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-66992 // JVNDB: JVNDB-2013-006382 // CNNVD: CNNVD-201401-057 // NVD: CVE-2013-6990

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-66992 // JVNDB: JVNDB-2013-006382 // NVD: CVE-2013-6990

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-057

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201401-057

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-006382

PATCH

title:FortiAuthenticator Privilege Escalation Vulnerabilityurl:http://www.fortiguard.com/advisory/FG-IR-13-016/

Trust: 0.8

sources: JVNDB: JVNDB-2013-006382

EXTERNAL IDS

db:NVDid:CVE-2013-6990

Trust: 2.8

db:BIDid:64610

Trust: 1.0

db:JVNDBid:JVNDB-2013-006382

Trust: 0.8

db:CNNVDid:CNNVD-201401-057

Trust: 0.7

db:VULHUBid:VHN-66992

Trust: 0.1

sources: VULHUB: VHN-66992 // BID: 64610 // JVNDB: JVNDB-2013-006382 // CNNVD: CNNVD-201401-057 // NVD: CVE-2013-6990

REFERENCES

url:http://www.fortiguard.com/advisory/fg-ir-13-016/

Trust: 2.0

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/96200

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6990

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6990

Trust: 0.8

url:http://www.securityfocus.com/bid/64610

Trust: 0.6

url:http://www.fortinet.com/products/fortiauthenticator/

Trust: 0.3

sources: VULHUB: VHN-66992 // BID: 64610 // JVNDB: JVNDB-2013-006382 // CNNVD: CNNVD-201401-057 // NVD: CVE-2013-6990

CREDITS

Yvan Janssens

Trust: 0.9

sources: BID: 64610 // CNNVD: CNNVD-201401-057

SOURCES

db:VULHUBid:VHN-66992
db:BIDid:64610
db:JVNDBid:JVNDB-2013-006382
db:CNNVDid:CNNVD-201401-057
db:NVDid:CVE-2013-6990

LAST UPDATE DATE

2024-08-14T14:34:10.173000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-66992date:2017-08-29T00:00:00
db:BIDid:64610date:2013-12-15T00:00:00
db:JVNDBid:JVNDB-2013-006382date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201401-057date:2014-05-06T00:00:00
db:NVDid:CVE-2013-6990date:2017-08-29T01:34:02.403

SOURCES RELEASE DATE

db:VULHUBid:VHN-66992date:2014-04-30T00:00:00
db:BIDid:64610date:2013-12-15T00:00:00
db:JVNDBid:JVNDB-2013-006382date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201401-057date:2013-12-15T00:00:00
db:NVDid:CVE-2013-6990date:2014-04-30T14:22:05.860