ID

VAR-201510-0212


CVE

CVE-2015-7361


TITLE

FortiOS Vulnerable to shell access

Trust: 0.8

sources: JVNDB: JVNDB-2015-005311

DESCRIPTION

FortiOS 5.2.3, when configured to use High Availability (HA) and the dedicated management interface is enabled, does not require authentication for access to the ZebOS shell on the HA dedicated management interface, which allows remote attackers to obtain shell access via unspecified vectors. Fortinet FortiGate running FortiOS is a set of security operating systems developed by Fortinet, a company dedicated to FortiGate network security platforms. The system provides users with multiple security functions such as firewall, antivirus, IPSec / SSL VPN, Web content filtering, and anti-spam. A security bypass vulnerability exists in Fortinet FortiGate running FortiOS 5.2.3. An attacker could use this vulnerability to bypass security restrictions and perform unauthorized operations. This may aid in further attacks. FortiOS 5.2.3 is vulnerable. A remote attacker could exploit this vulnerability to gain shell access

Trust: 2.52

sources: NVD: CVE-2015-7361 // JVNDB: JVNDB-2015-005311 // CNNVD: CNNVD-201507-784 // BID: 76044 // VULHUB: VHN-85322

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:eqversion:5.2.3

Trust: 2.7

vendor:fortinetmodel:fortiosscope:neversion:5.2.4

Trust: 0.3

sources: BID: 76044 // JVNDB: JVNDB-2015-005311 // CNNVD: CNNVD-201510-275 // NVD: CVE-2015-7361

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7361
value: HIGH

Trust: 1.0

NVD: CVE-2015-7361
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201510-275
value: CRITICAL

Trust: 0.6

VULHUB: VHN-85322
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-7361
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-85322
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-85322 // JVNDB: JVNDB-2015-005311 // CNNVD: CNNVD-201510-275 // NVD: CVE-2015-7361

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-85322 // JVNDB: JVNDB-2015-005311 // NVD: CVE-2015-7361

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201507-784 // CNNVD: CNNVD-201510-275

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201507-784

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-005311

PATCH

title:ZebOS routing remote shell service enabledurl:http://www.fortiguard.com/advisory/zebos-routing-remote-shell-service-enabled

Trust: 0.8

sources: JVNDB: JVNDB-2015-005311

EXTERNAL IDS

db:NVDid:CVE-2015-7361

Trust: 2.8

db:SECTRACKid:1033093

Trust: 1.7

db:BIDid:76044

Trust: 1.0

db:JVNDBid:JVNDB-2015-005311

Trust: 0.8

db:CNNVDid:CNNVD-201510-275

Trust: 0.7

db:CNNVDid:CNNVD-201507-784

Trust: 0.6

db:VULHUBid:VHN-85322

Trust: 0.1

sources: VULHUB: VHN-85322 // BID: 76044 // JVNDB: JVNDB-2015-005311 // CNNVD: CNNVD-201507-784 // CNNVD: CNNVD-201510-275 // NVD: CVE-2015-7361

REFERENCES

url:http://www.fortiguard.com/advisory/zebos-routing-remote-shell-service-enabled

Trust: 1.7

url:http://www.securitytracker.com/id/1033093

Trust: 1.7

url:http://fortiguard.com/advisory/zebos-routing-remote-shell-service-enabled

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7361

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7361

Trust: 0.8

url:http://www.securityfocus.com/bid/76044

Trust: 0.6

url:https://www.fortinet.com/

Trust: 0.3

url:http://www.fortiguard.com/advisory/fg-ir-15-020/

Trust: 0.3

sources: VULHUB: VHN-85322 // BID: 76044 // JVNDB: JVNDB-2015-005311 // CNNVD: CNNVD-201507-784 // CNNVD: CNNVD-201510-275 // NVD: CVE-2015-7361

CREDITS

Burda Digital Systems

Trust: 0.9

sources: BID: 76044 // CNNVD: CNNVD-201507-784

SOURCES

db:VULHUBid:VHN-85322
db:BIDid:76044
db:JVNDBid:JVNDB-2015-005311
db:CNNVDid:CNNVD-201507-784
db:CNNVDid:CNNVD-201510-275
db:NVDid:CVE-2015-7361

LAST UPDATE DATE

2024-08-14T13:33:37.607000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-85322date:2016-12-03T00:00:00
db:BIDid:76044date:2015-11-03T20:03:00
db:JVNDBid:JVNDB-2015-005311date:2015-10-19T00:00:00
db:CNNVDid:CNNVD-201507-784date:2015-07-29T00:00:00
db:CNNVDid:CNNVD-201510-275date:2015-10-16T00:00:00
db:NVDid:CVE-2015-7361date:2016-12-03T03:12:51.817

SOURCES RELEASE DATE

db:VULHUBid:VHN-85322date:2015-10-15T00:00:00
db:BIDid:76044date:2015-07-24T00:00:00
db:JVNDBid:JVNDB-2015-005311date:2015-10-19T00:00:00
db:CNNVDid:CNNVD-201507-784date:2015-07-29T00:00:00
db:CNNVDid:CNNVD-201510-275date:2015-10-16T00:00:00
db:NVDid:CVE-2015-7361date:2015-10-15T20:59:01.833