ID

VAR-201502-0395


CVE

CVE-2015-1452


TITLE

Fortinet FortiOS of Control and Provisioning of Wireless Access Points Service disruption in daemon (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2015-001413

DESCRIPTION

The Control and Provisioning of Wireless Access Points (CAPWAP) daemon in Fortinet FortiOS 5.0 Patch 7 build 4457 allows remote attackers to cause a denial of service (locked CAPWAP Access Controller) via a large number of ClientHello DTLS messages. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. Fortinet FortiOS is prone to following security vulnerabilities: 1. A remote denial-of-service vulnerability 2. An information-disclosure vulnerability 3. An HTML-injection vulnerability An attacker may leverage these issues to cause denial-of-service conditions, to perform man-in-the-middle attacks and disclose sensitive information, or execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Fortinet FortiOS is a set of security operating system specially developed by Fortinet for the FortiGate platform. It provides users with firewall, anti-virus, IPSec/SSL VPN, Web content filtering, anti-spam and other security functions. A security vulnerability exists in the CAPWAP daemon in Fortinet FortiOS 5.0 Patch 7 build 4457

Trust: 1.98

sources: NVD: CVE-2015-1452 // JVNDB: JVNDB-2015-001413 // BID: 72383 // VULHUB: VHN-79413

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.0.7

Trust: 1.6

vendor:fortinetmodel:fortiosscope:eqversion:4.3.0 and later (with capwap enabled)

Trust: 0.8

sources: JVNDB: JVNDB-2015-001413 // CNNVD: CNNVD-201502-023 // NVD: CVE-2015-1452

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1452
value: HIGH

Trust: 1.0

NVD: CVE-2015-1452
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201502-023
value: HIGH

Trust: 0.6

VULHUB: VHN-79413
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-1452
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-79413
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-79413 // JVNDB: JVNDB-2015-001413 // CNNVD: CNNVD-201502-023 // NVD: CVE-2015-1452

PROBLEMTYPE DATA

problemtype:CWE-17

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-79413 // JVNDB: JVNDB-2015-001413 // NVD: CVE-2015-1452

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-023

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 72383

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001413

PATCH

title:FortiOS CAPWAP server two vulnerabilitiesurl:http://www.fortiguard.com/advisory/FG-IR-15-002/

Trust: 0.8

title:トップページurl:http://www.fortinet.co.jp/

Trust: 0.8

sources: JVNDB: JVNDB-2015-001413

EXTERNAL IDS

db:NVDid:CVE-2015-1452

Trust: 2.8

db:BIDid:72383

Trust: 1.4

db:SECUNIAid:61661

Trust: 1.1

db:JVNDBid:JVNDB-2015-001413

Trust: 0.8

db:CNNVDid:CNNVD-201502-023

Trust: 0.7

db:VULHUBid:VHN-79413

Trust: 0.1

sources: VULHUB: VHN-79413 // BID: 72383 // JVNDB: JVNDB-2015-001413 // CNNVD: CNNVD-201502-023 // NVD: CVE-2015-1452

REFERENCES

url:http://www.security-assessment.com/files/documents/advisory/fortinet_fortios_multiple_vulnerabilities.pdf

Trust: 2.5

url:http://seclists.org/fulldisclosure/2015/jan/125

Trust: 1.7

url:http://www.securityfocus.com/bid/72383

Trust: 1.1

url:http://www.fortiguard.com/advisory/fg-ir-15-002/

Trust: 1.1

url:http://secunia.com/advisories/61661

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1452

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1452

Trust: 0.8

sources: VULHUB: VHN-79413 // JVNDB: JVNDB-2015-001413 // CNNVD: CNNVD-201502-023 // NVD: CVE-2015-1452

CREDITS

Denis Andzakovic

Trust: 0.3

sources: BID: 72383

SOURCES

db:VULHUBid:VHN-79413
db:BIDid:72383
db:JVNDBid:JVNDB-2015-001413
db:CNNVDid:CNNVD-201502-023
db:NVDid:CVE-2015-1452

LAST UPDATE DATE

2024-08-14T13:47:49.715000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-79413date:2015-02-19T00:00:00
db:BIDid:72383date:2015-02-16T00:02:00
db:JVNDBid:JVNDB-2015-001413date:2015-03-02T00:00:00
db:CNNVDid:CNNVD-201502-023date:2015-02-03T00:00:00
db:NVDid:CVE-2015-1452date:2015-02-19T18:59:16.610

SOURCES RELEASE DATE

db:VULHUBid:VHN-79413date:2015-02-02T00:00:00
db:BIDid:72383date:2015-01-29T00:00:00
db:JVNDBid:JVNDB-2015-001413date:2015-02-13T00:00:00
db:CNNVDid:CNNVD-201502-023date:2015-02-03T00:00:00
db:NVDid:CVE-2015-1452date:2015-02-02T16:59:05.520