ID

VAR-201502-0400


CVE

CVE-2015-1457


TITLE

Fortinet FortiAuthenticator Vulnerable to reading arbitrary files

Trust: 0.8

sources: JVNDB: JVNDB-2015-001440

DESCRIPTION

Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary files via the -f flag to the dig command. Fortinet FortiAuthenticator Appliance is prone to the following multiple security vulnerabilities: 1. A cross-site scripting vulnerability 2. A command-execution vulnerability 3. Multiple information-disclosure vulnerabilities An attacker can exploit these issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, execute arbitrary commands and gain access to potentially sensitive information. FortiAuthenticator v300 build 0007 is vulnerable; other versions may also be affected. Fortinet FortiAuthenticator is a series of security authentication software from Fortinet, which can be combined with FortiToken (two-factor authentication token) to provide secure two-factor authentication to third-party devices authenticated by RADIUS or LDAP. A security vulnerability exists in Fortinet FortiAuthenticator version 3.0.0. ( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. The FortiAuthenticator is a user identity management appliance, supporting two factor authentication, RADIUS, LDAP, 802.1x Wireless Authentication, Certificate management and single sign on. The FortiAuthenticator appliance was found to contain a subshell bypass vulnerability, allowing remote administrators to gain root level access via the command line. Local file and password disclosure vulnerabilities were discovered, as well as a Reflected Cross Site Scripting vulnerability within the SCEP system. +--------------+ | Exploitation | +--------------+ --[ dbgcore_enable_shell_access Subshell Bypass By logging into the Fortinet Authenticator and executing the ‘shell’ command, a malicious user can gain a root /bin/bash shell on the server. However, unless the /tmp/privexec/dbgcore_enable_shell_access file exists (the contents of this file are irrelevant), then the command returns ‘shell: No such command.' If the file is present, then the command succeeds and a root shell is given. The ‘/tmp/privexec/dbgcore_enable_shell_access’ file can be created by using the ‘load-debug-kit’ command and specifying a network accessible tftp server with the relevant debug kit. The debug kits were found to be generated by an internal Fortinet tool called ‘mkprivexec’. The ‘load-debug-kit’ command expects encrypted binaries which are subsequently executed. An attacker that can either generate a valid debug kit or create the appropriate file in /tmp/privexec can therefore get a root shell. This is likely a workaround for CVE-2013-6990, however an attacker can still obtain root level command line access with some additional steps. --[ Password Disclosure A malicious user may use the debug logging functionality within the Fortinet FortiAuthenticator administrative console to obtain the passwords of the PostgreSQL database users. The disclosed passwords were found to be weak and are static across Fortinet FortiAuthenticator appliances. The following credentials were enumerated: +-----------------+ |Username:Password| +-----------------+ | slony : slony | |www-data:www-data| +-----------------+ --[ Reflected Cross Site Scripting By coercing a legitimate user (usually through a social engineering attack) to visit a specific FortiAuthenticator URL, an attacker may execute malicious JavaScript in the context of the user’s browser. This can subsequently be used to harm the user’s browser or hijack their session. This is due to the ‘operation’ parameter in the SCEP service being reflected to the end user without sufficient input validation and output scrubbing. The following URL can be used to replicate the Reflected Cross Site Scripting vulnerability: https://<FortiAuthenticatorIP>/cert/scep/?operation=<script>alert(1)</script> +----------+ | Solution | +----------+ No official solution is currently available for these vulnerabilities. Email correspondence with Fortinet suggests that the Local File Disclosure and Password Disclosure vulnerabilities have been resolved in version 3.2. No official documentation was found to confirm this. +---------------------+ | Disclosure Timeline | +---------------------+ 08/10/2014 - Initial email sent to Fortinet PSIRT team. 09/10/2014 - Advisory documents sent to Fortinet. 15/10/2014 - Acknowledgement of advisories from Fortinet. 16/10/2014 - Fortinet advised the Local File and Password disclosure issues would be resolved in the 3.2 release. 31/10/2014 - Additional information sent to Fortinet RE Reflected XSS 03/11/2014 - Additional information sent to Fortinet RE Reflected XSS 02/12/2014 - Update requested from Fortinet. 13/12/2014 - Update requested from Fortinet. 29/01/2015 - Advisory Release. +-------------------------------+ | About Security-Assessment.com | +-------------------------------+ Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. For further information on this issue or any of our service offerings, contact us: Web www.security-assessment.com Email info () security-assessment com Phone +64 4 470 1650

Trust: 2.07

sources: NVD: CVE-2015-1457 // JVNDB: JVNDB-2015-001440 // BID: 72378 // VULHUB: VHN-79418 // PACKETSTORM: 130156

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiauthenticatorscope:eqversion:3.0.0

Trust: 1.6

vendor:fortinetmodel:fortiauthenticatorscope:ltversion:3.2.1

Trust: 0.8

sources: JVNDB: JVNDB-2015-001440 // CNNVD: CNNVD-201502-061 // NVD: CVE-2015-1457

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1457
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-1457
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201502-061
value: MEDIUM

Trust: 0.6

VULHUB: VHN-79418
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-1457
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-79418
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-79418 // JVNDB: JVNDB-2015-001440 // CNNVD: CNNVD-201502-061 // NVD: CVE-2015-1457

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-79418 // JVNDB: JVNDB-2015-001440 // NVD: CVE-2015-1457

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201502-061

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201502-061

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001440

PATCH

title:FortiAuthenticator multiple vulnerabilitiesurl:http://www.fortiguard.com/advisory/FG-IR-15-003/

Trust: 0.8

title:FortiAuthenticator認証サーバーurl:http://www.fortinet.co.jp/products/fortiauthenticator/

Trust: 0.8

sources: JVNDB: JVNDB-2015-001440

EXTERNAL IDS

db:NVDid:CVE-2015-1457

Trust: 2.8

db:BIDid:72378

Trust: 2.0

db:PACKETSTORMid:130156

Trust: 1.8

db:JVNDBid:JVNDB-2015-001440

Trust: 0.8

db:CNNVDid:CNNVD-201502-061

Trust: 0.7

db:XFid:100560

Trust: 0.6

db:VULHUBid:VHN-79418

Trust: 0.1

sources: VULHUB: VHN-79418 // BID: 72378 // JVNDB: JVNDB-2015-001440 // PACKETSTORM: 130156 // CNNVD: CNNVD-201502-061 // NVD: CVE-2015-1457

REFERENCES

url:http://www.security-assessment.com/files/documents/advisory/fortinet_fortiauthenticator_multiple_vulnerabilities.pdf

Trust: 2.6

url:http://www.securityfocus.com/bid/72378

Trust: 1.7

url:http://packetstormsecurity.com/files/130156/fortinet-fortiauthenticator-xss-disclosure-bypass.html

Trust: 1.7

url:http://www.fortiguard.com/advisory/fg-ir-15-003/

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100560

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1457

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1457

Trust: 0.8

url:http://xforce.iss.net/xforce/xfdb/100560

Trust: 0.6

url:http://www.fortinet.com/

Trust: 0.3

url:https://<fortiauthenticatorip>/cert/scep/?operation=<script>alert(1)</script>

Trust: 0.1

sources: VULHUB: VHN-79418 // BID: 72378 // JVNDB: JVNDB-2015-001440 // PACKETSTORM: 130156 // CNNVD: CNNVD-201502-061 // NVD: CVE-2015-1457

CREDITS

Denis Andzakovic

Trust: 0.4

sources: BID: 72378 // PACKETSTORM: 130156

SOURCES

db:VULHUBid:VHN-79418
db:BIDid:72378
db:JVNDBid:JVNDB-2015-001440
db:PACKETSTORMid:130156
db:CNNVDid:CNNVD-201502-061
db:NVDid:CVE-2015-1457

LAST UPDATE DATE

2024-08-14T14:27:41.317000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-79418date:2017-09-08T00:00:00
db:BIDid:72378date:2015-03-19T07:30:00
db:JVNDBid:JVNDB-2015-001440date:2015-03-02T00:00:00
db:CNNVDid:CNNVD-201502-061date:2015-02-04T00:00:00
db:NVDid:CVE-2015-1457date:2017-09-08T01:29:49.293

SOURCES RELEASE DATE

db:VULHUBid:VHN-79418date:2015-02-03T00:00:00
db:BIDid:72378date:2015-01-29T00:00:00
db:JVNDBid:JVNDB-2015-001440date:2015-02-13T00:00:00
db:PACKETSTORMid:130156date:2015-01-29T16:15:59
db:CNNVDid:CNNVD-201502-061date:2015-02-04T00:00:00
db:NVDid:CVE-2015-1457date:2015-02-03T16:59:29.250