Details of VAR-201706-0017

ID

VAR-201706-0017

CVE

CVE-2016-8493

TITLE

fortinet's Windows for FortiClient Vulnerabilities related to authorization, privileges, and access control in

Trust: 0.8

sources: JVNDB: JVNDB-2016-009740

DESCRIPTION

In FortiClientWindows 5.4.1 and 5.4.2, an attacker may escalate privilege via a FortiClientNamedPipe vulnerability. fortinet's Windows for FortiClient contains vulnerabilities related to authorization, privileges, and access control.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiClient is prone to a privilege-escalation vulnerability. An attacker can exploit this issue to execute arbitrary code with elevated privileges. FortiClient 5.4.1 and 5.4.2 are vulnerable. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances

Trust: 1.98

sources: NVD: CVE-2016-8493 // JVNDB: JVNDB-2016-009740 // BID: 101682 // VULHUB: VHN-97313

AFFECTED PRODUCTS

vendor:	fortinet	model:	forticlient	scope:	eq	version:	5.4.2	Trust: 1.9
vendor:	fortinet	model:	forticlient	scope:	eq	version:	5.4.1	Trust: 1.9
vendor:	フォーティネット	model:	forticlient	scope:	eq	version:	5.4.2	Trust: 0.8
vendor:	フォーティネット	model:	forticlient	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	forticlient	scope:	eq	version:	5.4.1	Trust: 0.8
vendor:	fortinet	model:	forticlient	scope:	ne	version:	5.6	Trust: 0.3
vendor:	fortinet	model:	forticlient	scope:	ne	version:	5.4.3	Trust: 0.3

sources: BID: 101682 // JVNDB: JVNDB-2016-009740 // CNNVD: CNNVD-201711-307 // NVD: CVE-2016-8493

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-8493
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-8493
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201711-307
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-97313
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-8493
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-97313
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-8493
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-97313 // JVNDB: JVNDB-2016-009740 // CNNVD: CNNVD-201711-307 // NVD: CVE-2016-8493

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.1
problemtype:	Authorization / authority / access control (CWE-264) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-97313 // JVNDB: JVNDB-2016-009740 // NVD: CVE-2016-8493

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-307

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201711-307

PATCH

title:	FG-IR-16-095	url:	https://www.fortiguard.com/psirt/FG-IR-16-095	Trust: 0.8
title:	Fortinet FortiClient Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76204	Trust: 0.6

sources: JVNDB: JVNDB-2016-009740 // CNNVD: CNNVD-201711-307

EXTERNAL IDS

db:	NVD	id:	CVE-2016-8493	Trust: 3.6
db:	BID	id:	101682	Trust: 2.8
db:	JVNDB	id:	JVNDB-2016-009740	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-307	Trust: 0.7
db:	VULHUB	id:	VHN-97313	Trust: 0.1

sources: VULHUB: VHN-97313 // BID: 101682 // JVNDB: JVNDB-2016-009740 // CNNVD: CNNVD-201711-307 // NVD: CVE-2016-8493

REFERENCES

url:	http://www.securityfocus.com/bid/101682	Trust: 2.5
url:	https://fortiguard.com/psirt/fg-ir-16-095	Trust: 1.4
url:	https://nvd.nist.gov/vuln/detail/cve-2016-8493	Trust: 0.8
url:	http://www.fortinet.com/	Trust: 0.3

sources: VULHUB: VHN-97313 // BID: 101682 // JVNDB: JVNDB-2016-009740 // CNNVD: CNNVD-201711-307 // NVD: CVE-2016-8493

CREDITS

Zhipeng Huo from Tencent Technology Company Limited.

Trust: 0.9

sources: BID: 101682 // CNNVD: CNNVD-201711-307

SOURCES

db:	VULHUB	id:	VHN-97313
db:	BID	id:	101682
db:	JVNDB	id:	JVNDB-2016-009740
db:	CNNVD	id:	CNNVD-201711-307
db:	NVD	id:	CVE-2016-8493

LAST UPDATE DATE

2024-08-14T13:56:47.457000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-97313	date:	2018-01-17T00:00:00
db:	BID	id:	101682	date:	2017-12-19T21:00:00
db:	JVNDB	id:	JVNDB-2016-009740	date:	2024-07-23T07:03:00
db:	CNNVD	id:	CNNVD-201711-307	date:	2017-11-10T00:00:00
db:	NVD	id:	CVE-2016-8493	date:	2018-01-17T16:07:50.010

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-97313	date:	2017-06-26T00:00:00
db:	BID	id:	101682	date:	2017-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2016-009740	date:	2024-07-23T00:00:00
db:	CNNVD	id:	CNNVD-201711-307	date:	2017-11-10T00:00:00
db:	NVD	id:	CVE-2016-8493	date:	2017-06-26T17:29:00.187