ID

VAR-201608-0364


CVE

CVE-2016-6909


TITLE

Fortinet FortiOS and FortiSwitch of Cookie Parser buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-004445

DESCRIPTION

Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9 and FortiSwitch before 3.4.3 allows remote attackers to execute arbitrary code via a crafted HTTP request, aka EGREGIOUSBLUNDER. Fortinet FortiOS and FortiSwitch of Cookie The parser contains a buffer overflow vulnerability. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides features such as firewall, anti-virus and intrusion prevention (IPS), application control, anti-spam, wireless controller and WAN acceleration. The vulnerability stems from the program not performing correct boundary checks on user-submitted input. An attacker could use this vulnerability to execute arbitrary code in the context of an affected application and may cause a denial of service. Fortinet FortiGate is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will result in denial-of-service conditions. The following versions are affected: Fortinet FortiGate 4.3.8 and prior Fortinet FortiGate 4.2.12 and prior Fortinet FortiGate 4.1.10 and prior. Fortinet FortiOS and FortiSwitch are products developed by Fortinet

Trust: 2.61

sources: NVD: CVE-2016-6909 // JVNDB: JVNDB-2016-004445 // CNNVD: CNNVD-201608-383 // BID: 92523 // VULHUB: VHN-95729 // VULMON: CVE-2016-6909

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:ltversion:4.3.9

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:4.2.13

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:4.1.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:4.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:4.3.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:4.1.11

Trust: 1.0

vendor:fortinetmodel:fortiswitchscope:lteversion:3.4.2

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:4.3.8

Trust: 0.9

vendor:fortinetmodel:fortiosscope:eqversion:4.2.12

Trust: 0.9

vendor:fortinetmodel:fortiosscope:eqversion:4.1.10

Trust: 0.9

vendor:fortinetmodel:fortiosscope:eqversion:4.1.11

Trust: 0.8

vendor:fortinetmodel:fortiosscope:ltversion:4.2.x

Trust: 0.8

vendor:fortinetmodel:fortiosscope:ltversion:4.3.x

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:4.3.9

Trust: 0.8

vendor:fortinetmodel:fortiosscope:ltversion:4.x

Trust: 0.8

vendor:fortinetmodel:fortiosscope:eqversion:4.2.13

Trust: 0.8

vendor:fortinetmodel:fortiswitchscope:eqversion:3.4.2

Trust: 0.6

vendor:fortinetmodel:fortiosscope:eqversion:4.3

Trust: 0.3

vendor:fortinetmodel:fortigatescope:eqversion:0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:4.3.9

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:4.2.13

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:4.1.11

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:5.0

Trust: 0.3

sources: BID: 92523 // JVNDB: JVNDB-2016-004445 // CNNVD: CNNVD-201608-446 // NVD: CVE-2016-6909

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-6909
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-6909
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201608-446
value: CRITICAL

Trust: 0.6

VULHUB: VHN-95729
value: HIGH

Trust: 0.1

VULMON: CVE-2016-6909
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-6909
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-95729
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-6909
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-95729 // VULMON: CVE-2016-6909 // JVNDB: JVNDB-2016-004445 // CNNVD: CNNVD-201608-446 // NVD: CVE-2016-6909

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-95729 // JVNDB: JVNDB-2016-004445 // NVD: CVE-2016-6909

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201608-383 // CNNVD: CNNVD-201608-446

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201608-383

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004445

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-95729 // VULMON: CVE-2016-6909

PATCH

title:Cookie Parser Buffer Overflow Vulnerabilityurl:http://fortiguard.com/advisory/FG-IR-16-023

Trust: 0.8

title:Fortinet FortiOS and FortiSwitch Buffer Overflow Vulnerability Fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63770

Trust: 0.6

sources: JVNDB: JVNDB-2016-004445 // CNNVD: CNNVD-201608-446

EXTERNAL IDS

db:BIDid:92523

Trust: 2.7

db:NVDid:CVE-2016-6909

Trust: 2.6

db:EXPLOIT-DBid:40276

Trust: 1.8

db:PACKETSTORMid:138387

Trust: 1.8

db:SECTRACKid:1036643

Trust: 1.8

db:JVNDBid:JVNDB-2016-004445

Trust: 0.8

db:CNNVDid:CNNVD-201608-446

Trust: 0.7

db:CNNVDid:CNNVD-201608-383

Trust: 0.6

db:VULHUBid:VHN-95729

Trust: 0.1

db:VULMONid:CVE-2016-6909

Trust: 0.1

sources: VULHUB: VHN-95729 // VULMON: CVE-2016-6909 // BID: 92523 // JVNDB: JVNDB-2016-004445 // CNNVD: CNNVD-201608-383 // CNNVD: CNNVD-201608-446 // NVD: CVE-2016-6909

REFERENCES

url:http://www.securityfocus.com/bid/92523

Trust: 2.4

url:https://www.exploit-db.com/exploits/40276/

Trust: 1.9

url:http://fortiguard.com/advisory/fg-ir-16-023

Trust: 1.8

url:http://packetstormsecurity.com/files/138387/egregiousblunder-fortigate-remote-code-execution.html

Trust: 1.8

url:https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html

Trust: 1.8

url:http://www.securitytracker.com/id/1036643

Trust: 1.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6909

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6909

Trust: 0.8

url:http://www.fortinet.com/

Trust: 0.3

url:http://fortiguard.com/advisory/cookie-parser-buffer-overflow-vulnerability

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/119.html

Trust: 0.1

url:https://www.rapid7.com/db/vulnerabilities/fortios-cve-2016-6909

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=48526

Trust: 0.1

sources: VULHUB: VHN-95729 // VULMON: CVE-2016-6909 // BID: 92523 // JVNDB: JVNDB-2016-004445 // CNNVD: CNNVD-201608-383 // CNNVD: CNNVD-201608-446 // NVD: CVE-2016-6909

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 92523

SOURCES

db:VULHUBid:VHN-95729
db:VULMONid:CVE-2016-6909
db:BIDid:92523
db:JVNDBid:JVNDB-2016-004445
db:CNNVDid:CNNVD-201608-383
db:CNNVDid:CNNVD-201608-446
db:NVDid:CVE-2016-6909

LAST UPDATE DATE

2024-08-14T14:46:21.830000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-95729date:2019-05-22T00:00:00
db:VULMONid:CVE-2016-6909date:2019-05-22T00:00:00
db:BIDid:92523date:2016-08-17T00:00:00
db:JVNDBid:JVNDB-2016-004445date:2016-08-25T00:00:00
db:CNNVDid:CNNVD-201608-383date:2016-08-19T00:00:00
db:CNNVDid:CNNVD-201608-446date:2019-05-23T00:00:00
db:NVDid:CVE-2016-6909date:2019-05-22T15:06:00.610

SOURCES RELEASE DATE

db:VULHUBid:VHN-95729date:2016-08-24T00:00:00
db:VULMONid:CVE-2016-6909date:2016-08-24T00:00:00
db:BIDid:92523date:2016-08-17T00:00:00
db:JVNDBid:JVNDB-2016-004445date:2016-08-25T00:00:00
db:CNNVDid:CNNVD-201608-383date:2016-08-19T00:00:00
db:CNNVDid:CNNVD-201608-446date:2016-08-25T00:00:00
db:NVDid:CVE-2016-6909date:2016-08-24T16:30:00.137