Sign-up

ID

VAR-201502-0396


CVE

CVE-2015-1453


TITLE

Android for Fortinet FortiClient of qm There is a vulnerability in the class that can retrieve important data such as passwords.

Trust: 0.8

sources: JVNDB: JVNDB-2015-001415

DESCRIPTION

The qm class in Fortinet FortiClient 5.2.3.091 for Android uses a hardcoded encryption key of FoRtInEt!AnDrOiD, which makes it easier for attackers to obtain passwords and possibly other sensitive data by leveraging the key to decrypt data in the Shared Preferences. Fortinet FortiClient is prone to multiple security vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues to perform man-in-the-middle attacks, to view encrypted data disclose and obtain sensitive information, which will aid in further attacks. Fortinet FortiClient for Android is a terminal security solution based on the Android platform from Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. There is a security vulnerability in the qm class of Android Fortinet FortiClient version 5.2.3.091. The vulnerability stems from the fact that the program uses FoRtInEt!AnDrOiD as a hardcoded encryption key

Trust: 1.98

sources: NVD: CVE-2015-1453 // JVNDB: JVNDB-2015-001415 // BID: 72377 // VULHUB: VHN-79414

AFFECTED PRODUCTS

vendor:fortinetmodel:forticlientscope:eqversion:5.2.3.091

Trust: 1.7

vendor:fortinetmodel:forticlientscope:lteversion:5.2.3.091

Trust: 1.0

vendor:fortinetmodel:forticlientscope:eqversion:5.2.28

Trust: 0.3

sources: BID: 72377 // JVNDB: JVNDB-2015-001415 // CNNVD: CNNVD-201502-024 // NVD: CVE-2015-1453

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1453
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-1453
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201502-024
value: MEDIUM

Trust: 0.6

VULHUB: VHN-79414
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-1453
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-79414
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-79414 // JVNDB: JVNDB-2015-001415 // CNNVD: CNNVD-201502-024 // NVD: CVE-2015-1453

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

sources: VULHUB: VHN-79414 // JVNDB: JVNDB-2015-001415 // NVD: CVE-2015-1453

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-024

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201502-024

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001415

PATCH
title:トップページurl:http://www.fortinet.co.jp/
Trust: 0.8
title:FortiClientエンドポイントセキュリティurl:http://www.fortinet.co.jp/products/forticlient/top.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001415

EXTERNAL IDS
db:NVDid:CVE-2015-1453
Trust: 2.8
db:BIDid:72383
Trust: 1.1
db:JVNDBid:JVNDB-2015-001415
Trust: 0.8
db:CNNVDid:CNNVD-201502-024
Trust: 0.7
db:BIDid:72377
Trust: 0.3
db:VULHUBid:VHN-79414
Trust: 0.1
sources:
            
            
            VULHUB: VHN-79414 // 
            
            
            
            BID: 72377 // 
            
            
            
            JVNDB: JVNDB-2015-001415 // 
            
            
            
            CNNVD: CNNVD-201502-024 // 
            
            
            
            NVD: CVE-2015-1453

REFERENCES
url:http://www.security-assessment.com/files/documents/advisory/fortinet_forticlient_multiple_vulnerabilities.pdf
Trust: 2.5
url:http://seclists.org/fulldisclosure/2015/jan/124
Trust: 2.0
url:http://www.securityfocus.com/bid/72383
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1453
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1453
Trust: 0.8
url:http://www.fortinet.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-79414 // 
            
            
            
            BID: 72377 // 
            
            
            
            JVNDB: JVNDB-2015-001415 // 
            
            
            
            CNNVD: CNNVD-201502-024 // 
            
            
            
            NVD: CVE-2015-1453

CREDITS
Denis Andzakovic
Trust: 0.3
sources:
            
            
            BID: 72377

SOURCES
db:VULHUBid:VHN-79414
db:BIDid:72377
db:JVNDBid:JVNDB-2015-001415
db:CNNVDid:CNNVD-201502-024
db:NVDid:CVE-2015-1453

LAST UPDATE DATE
2024-11-23T22:08:10.187000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-79414date:2015-11-30T00:00:00
db:BIDid:72377date:2015-05-07T17:26:00
db:JVNDBid:JVNDB-2015-001415date:2015-02-13T00:00:00
db:CNNVDid:CNNVD-201502-024date:2015-02-03T00:00:00
db:NVDid:CVE-2015-1453date:2024-11-21T02:25:27.497

SOURCES RELEASE DATE
db:VULHUBid:VHN-79414date:2015-02-02T00:00:00
db:BIDid:72377date:2015-01-29T00:00:00
db:JVNDBid:JVNDB-2015-001415date:2015-02-13T00:00:00
db:CNNVDid:CNNVD-201502-024date:2015-02-03T00:00:00
db:NVDid:CVE-2015-1453date:2015-02-02T16:59:06.457