ID

VAR-201910-1237


CVE

CVE-2019-15703


TITLE

Fortinet FortiOS Vulnerabilities related to lack of entropy

Trust: 0.8

sources: JVNDB: JVNDB-2019-011503

DESCRIPTION

An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only. Fortinet FortiOS Contains a vulnerability related to lack of entropy.Information may be obtained. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. Fortinet FortiOS versions 6.2.1, 6.2.0, 6.0.8 and earlier have security signature vulnerabilities in the deterministic (pseudo-random) number generator (PRNG). An attacker could exploit this vulnerability to obtain sensitive information

Trust: 1.71

sources: NVD: CVE-2019-15703 // JVNDB: JVNDB-2019-011503 // VULHUB: VHN-147776

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:5.6.9

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:6.0.9

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:ltversion:6.2.3

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.2.1

Trust: 0.8

sources: JVNDB: JVNDB-2019-011503 // NVD: CVE-2019-15703

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15703
value: HIGH

Trust: 1.0

NVD: CVE-2019-15703
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201910-1251
value: HIGH

Trust: 0.6

VULHUB: VHN-147776
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-15703
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-147776
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-15703
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-15703
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-147776 // JVNDB: JVNDB-2019-011503 // CNNVD: CNNVD-201910-1251 // NVD: CVE-2019-15703

PROBLEMTYPE DATA

problemtype:CWE-331

Trust: 1.9

sources: VULHUB: VHN-147776 // JVNDB: JVNDB-2019-011503 // NVD: CVE-2019-15703

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1251

TYPE

security feature problem

Trust: 0.6

sources: CNNVD: CNNVD-201910-1251

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011503

PATCH

title:FG-IR-19-186url:https://fortiguard.com/psirt/FG-IR-19-186

Trust: 0.8

title:Fortinet FortiOS Fixing measures for security feature vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=101614

Trust: 0.6

sources: JVNDB: JVNDB-2019-011503 // CNNVD: CNNVD-201910-1251

EXTERNAL IDS

db:NVDid:CVE-2019-15703

Trust: 2.5

db:JVNDBid:JVNDB-2019-011503

Trust: 0.8

db:CNNVDid:CNNVD-201910-1251

Trust: 0.7

db:AUSCERTid:ESB-2019.3915.2

Trust: 0.6

db:AUSCERTid:ESB-2019.3915

Trust: 0.6

db:VULHUBid:VHN-147776

Trust: 0.1

sources: VULHUB: VHN-147776 // JVNDB: JVNDB-2019-011503 // CNNVD: CNNVD-201910-1251 // NVD: CVE-2019-15703

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-19-186

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-15703

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15703

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.3915/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3915.2/

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortios-information-disclosure-via-drbg-unsufficient-entropy-30682

Trust: 0.6

sources: VULHUB: VHN-147776 // JVNDB: JVNDB-2019-011503 // CNNVD: CNNVD-201910-1251 // NVD: CVE-2019-15703

CREDITS

Shaanan Cohney of the University of Pennsylvania

Trust: 0.6

sources: CNNVD: CNNVD-201910-1251

SOURCES

db:VULHUBid:VHN-147776
db:JVNDBid:JVNDB-2019-011503
db:CNNVDid:CNNVD-201910-1251
db:NVDid:CVE-2019-15703

LAST UPDATE DATE

2024-08-14T14:51:01.972000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-147776date:2020-03-30T00:00:00
db:JVNDBid:JVNDB-2019-011503date:2019-11-11T00:00:00
db:CNNVDid:CNNVD-201910-1251date:2020-03-31T00:00:00
db:NVDid:CVE-2019-15703date:2022-03-31T17:53:21.813

SOURCES RELEASE DATE

db:VULHUBid:VHN-147776date:2019-10-24T00:00:00
db:JVNDBid:JVNDB-2019-011503date:2019-11-11T00:00:00
db:CNNVDid:CNNVD-201910-1251date:2019-10-21T00:00:00
db:NVDid:CVE-2019-15703date:2019-10-24T14:15:11.003