Sign-up

ID

VAR-201510-0212


CVE

CVE-2015-7361


TITLE

FortiOS Vulnerable to shell access

Trust: 0.8

sources: JVNDB: JVNDB-2015-005311

DESCRIPTION

FortiOS 5.2.3, when configured to use High Availability (HA) and the dedicated management interface is enabled, does not require authentication for access to the ZebOS shell on the HA dedicated management interface, which allows remote attackers to obtain shell access via unspecified vectors. Fortinet FortiGate running FortiOS is a set of security operating systems developed by Fortinet, a company dedicated to FortiGate network security platforms. The system provides users with multiple security functions such as firewall, antivirus, IPSec / SSL VPN, Web content filtering, and anti-spam. A security bypass vulnerability exists in Fortinet FortiGate running FortiOS 5.2.3. An attacker could use this vulnerability to bypass security restrictions and perform unauthorized operations. This may aid in further attacks. FortiOS 5.2.3 is vulnerable. A remote attacker could exploit this vulnerability to gain shell access

Trust: 2.52

sources: NVD: CVE-2015-7361 // JVNDB: JVNDB-2015-005311 // CNNVD: CNNVD-201507-784 // BID: 76044 // VULHUB: VHN-85322

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.2.3

Trust: 2.7

vendor:fortinetmodel:fortiosscope:neversion:5.2.4

Trust: 0.3

sources: BID: 76044 // JVNDB: JVNDB-2015-005311 // CNNVD: CNNVD-201510-275 // NVD: CVE-2015-7361

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7361
value: HIGH

Trust: 1.0

NVD: CVE-2015-7361
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201510-275
value: CRITICAL

Trust: 0.6

VULHUB: VHN-85322
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-7361
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-85322
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-85322 // JVNDB: JVNDB-2015-005311 // CNNVD: CNNVD-201510-275 // NVD: CVE-2015-7361

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-85322 // JVNDB: JVNDB-2015-005311 // NVD: CVE-2015-7361

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201507-784 // CNNVD: CNNVD-201510-275

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201507-784

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-005311

PATCH
title:ZebOS routing remote shell service enabledurl:http://www.fortiguard.com/advisory/zebos-routing-remote-shell-service-enabled
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-005311

EXTERNAL IDS
db:NVDid:CVE-2015-7361
Trust: 2.8
db:SECTRACKid:1033093
Trust: 1.7
db:BIDid:76044
Trust: 1.0
db:JVNDBid:JVNDB-2015-005311
Trust: 0.8
db:CNNVDid:CNNVD-201510-275
Trust: 0.7
db:CNNVDid:CNNVD-201507-784
Trust: 0.6
db:VULHUBid:VHN-85322
Trust: 0.1
sources:
            
            
            VULHUB: VHN-85322 // 
            
            
            
            BID: 76044 // 
            
            
            
            JVNDB: JVNDB-2015-005311 // 
            
            
            
            CNNVD: CNNVD-201507-784 // 
            
            
            
            CNNVD: CNNVD-201510-275 // 
            
            
            
            NVD: CVE-2015-7361

REFERENCES
url:http://www.fortiguard.com/advisory/zebos-routing-remote-shell-service-enabled
Trust: 1.7
url:http://www.securitytracker.com/id/1033093
Trust: 1.7
url:http://fortiguard.com/advisory/zebos-routing-remote-shell-service-enabled
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7361
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7361
Trust: 0.8
url:http://www.securityfocus.com/bid/76044
Trust: 0.6
url:https://www.fortinet.com/
Trust: 0.3
url:http://www.fortiguard.com/advisory/fg-ir-15-020/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-85322 // 
            
            
            
            BID: 76044 // 
            
            
            
            JVNDB: JVNDB-2015-005311 // 
            
            
            
            CNNVD: CNNVD-201507-784 // 
            
            
            
            CNNVD: CNNVD-201510-275 // 
            
            
            
            NVD: CVE-2015-7361

CREDITS
Burda Digital Systems
Trust: 0.9
sources:
            
            
            BID: 76044 // 
            
            
            
            CNNVD: CNNVD-201507-784

SOURCES
db:VULHUBid:VHN-85322
db:BIDid:76044
db:JVNDBid:JVNDB-2015-005311
db:CNNVDid:CNNVD-201507-784
db:CNNVDid:CNNVD-201510-275
db:NVDid:CVE-2015-7361

LAST UPDATE DATE
2024-08-14T13:33:37.607000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-85322date:2016-12-03T00:00:00
db:BIDid:76044date:2015-11-03T20:03:00
db:JVNDBid:JVNDB-2015-005311date:2015-10-19T00:00:00
db:CNNVDid:CNNVD-201507-784date:2015-07-29T00:00:00
db:CNNVDid:CNNVD-201510-275date:2015-10-16T00:00:00
db:NVDid:CVE-2015-7361date:2016-12-03T03:12:51.817

SOURCES RELEASE DATE
db:VULHUBid:VHN-85322date:2015-10-15T00:00:00
db:BIDid:76044date:2015-07-24T00:00:00
db:JVNDBid:JVNDB-2015-005311date:2015-10-19T00:00:00
db:CNNVDid:CNNVD-201507-784date:2015-07-29T00:00:00
db:CNNVDid:CNNVD-201510-275date:2015-10-16T00:00:00
db:NVDid:CVE-2015-7361date:2015-10-15T20:59:01.833