Sign-up

ID

VAR-201904-0538


CVE

CVE-2017-17544


TITLE

Fortinet FortiOS Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-014421

DESCRIPTION

A privilege escalation vulnerability in Fortinet FortiOS 6.0.0 to 6.0.6, 5.6.0 to 5.6.10, 5.4 and below allows admin users to elevate their profile to super_admin via restoring modified configurations. Fortinet FortiOS Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FortinetFortiOS is a set of Fortinet security operating systems dedicated to the FortiGate network security platform. The system provides users with multiple security features such as firewall, anti-virus, IPSec/SSLVPN, web content filtering and anti-spam. Permissions and access control issues vulnerabilities exist in versions prior to FortinetFortiOS6.2.06.2.0. The vulnerability stems from the lack of effective permissions and access control measures for network systems or products. Fortinet FortiOS is prone to a remote privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges and perform unauthorized actions. Versions prior to Fortinet FortiOS 6.2.0 are vulnerable

Trust: 2.52

sources: NVD: CVE-2017-17544 // JVNDB: JVNDB-2017-014421 // CNVD: CNVD-2019-13556 // BID: 107839 // VULHUB: VHN-108577

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-13556

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:lteversion:5.6.10

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:5.4.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.0.6

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:6.2.0

Trust: 0.8

vendor:fortinetmodel:fortiosscope:ltversion:6.2.06.2.0

Trust: 0.6

vendor:fortinetmodel:fortiosscope:eqversion:6.0.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:6.0.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:6.0.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:6.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.7

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.10

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.9

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.7

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.12

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.11

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.13

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.9

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.8

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.7

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.3

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.19

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.17

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.15

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.6.1

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.9

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2.10

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.2

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.6

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.5

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.4

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.12

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.11

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:5.0.0

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.18

Trust: 0.3

vendor:fortinetmodel:fortiosscope:eqversion:4.3.16

Trust: 0.3

vendor:fortinetmodel:fortiosscope:neversion:6.2

Trust: 0.3

sources: CNVD: CNVD-2019-13556 // BID: 107839 // JVNDB: JVNDB-2017-014421 // NVD: CVE-2017-17544

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-17544
value: HIGH

Trust: 1.0

NVD: CVE-2017-17544
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-13556
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201712-455
value: HIGH

Trust: 0.6

VULHUB: VHN-108577
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-17544
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-13556
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-108577
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-17544
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2017-17544
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-13556 // VULHUB: VHN-108577 // JVNDB: JVNDB-2017-014421 // CNNVD: CNNVD-201712-455 // NVD: CVE-2017-17544

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:CWE-264

Trust: 0.9

problemtype:CWE-281

Trust: 0.1

sources: VULHUB: VHN-108577 // JVNDB: JVNDB-2017-014421 // NVD: CVE-2017-17544

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-455

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201712-455

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014421

PATCH
title:FG-IR-17-053url:https://fortiguard.com/psirt/FG-IR-17-053
Trust: 0.8
title:Patch for FortinetFortiOS Permissions and Access Control Issue Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/160663
Trust: 0.6
title:Fortinet FortiOS Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91037
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-13556 // 
            
            
            
            JVNDB: JVNDB-2017-014421 // 
            
            
            
            CNNVD: CNNVD-201712-455

EXTERNAL IDS
db:NVDid:CVE-2017-17544
Trust: 3.4
db:BIDid:107839
Trust: 2.6
db:JVNDBid:JVNDB-2017-014421
Trust: 0.8
db:CNNVDid:CNNVD-201712-455
Trust: 0.7
db:CNVDid:CNVD-2019-13556
Trust: 0.6
db:AUSCERTid:ESB-2019.1114.2
Trust: 0.6
db:AUSCERTid:ESB-2019.1114.4
Trust: 0.6
db:VULHUBid:VHN-108577
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-13556 // 
            
            
            
            VULHUB: VHN-108577 // 
            
            
            
            BID: 107839 // 
            
            
            
            JVNDB: JVNDB-2017-014421 // 
            
            
            
            CNNVD: CNNVD-201712-455 // 
            
            
            
            NVD: CVE-2017-17544

REFERENCES
url:http://www.securityfocus.com/bid/107839
Trust: 2.9
url:https://fortiguard.com/advisory/fg-ir-17-053
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2017-17544
Trust: 1.4
url:http://www.fortinet.com/
Trust: 0.9
url:https://fortiguard.com/psirt/fg-ir-17-053
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17544
Trust: 0.8
url:https://fortiguard.com/psirt/fg-ir-18-388
Trust: 0.6
url:https://vigilance.fr/vulnerability/fortios-privilege-escalation-via-restoring-modified-configurations-28932
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.1114.2/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/78322
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-13556 // 
            
            
            
            VULHUB: VHN-108577 // 
            
            
            
            BID: 107839 // 
            
            
            
            JVNDB: JVNDB-2017-014421 // 
            
            
            
            CNNVD: CNNVD-201712-455 // 
            
            
            
            NVD: CVE-2017-17544

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 107839

SOURCES
db:CNVDid:CNVD-2019-13556
db:VULHUBid:VHN-108577
db:BIDid:107839
db:JVNDBid:JVNDB-2017-014421
db:CNNVDid:CNNVD-201712-455
db:NVDid:CVE-2017-17544

LAST UPDATE DATE
2024-08-14T14:56:56.157000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-13556date:2019-05-10T00:00:00
db:VULHUBid:VHN-108577date:2020-08-28T00:00:00
db:BIDid:107839date:2019-04-02T00:00:00
db:JVNDBid:JVNDB-2017-014421date:2019-05-13T00:00:00
db:CNNVDid:CNNVD-201712-455date:2020-04-07T00:00:00
db:NVDid:CVE-2017-17544date:2020-08-28T15:14:11.500

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-13556date:2019-05-10T00:00:00
db:VULHUBid:VHN-108577date:2019-04-09T00:00:00
db:BIDid:107839date:2019-04-02T00:00:00
db:JVNDBid:JVNDB-2017-014421date:2019-05-13T00:00:00
db:CNNVDid:CNNVD-201712-455date:2017-12-12T00:00:00
db:NVDid:CVE-2017-17544date:2019-04-09T16:29:00.367