Details of VAR-201910-1237

ID

VAR-201910-1237

CVE

CVE-2019-15703

TITLE

Fortinet FortiOS Vulnerabilities related to lack of entropy

Trust: 0.8

sources: JVNDB: JVNDB-2019-011503

DESCRIPTION

An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only. Fortinet FortiOS Contains a vulnerability related to lack of entropy.Information may be obtained. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. Fortinet FortiOS versions 6.2.1, 6.2.0, 6.0.8 and earlier have security signature vulnerabilities in the deterministic (pseudo-random) number generator (PRNG). An attacker could exploit this vulnerability to obtain sensitive information

Trust: 1.71

sources: NVD: CVE-2019-15703 // JVNDB: JVNDB-2019-011503 // VULHUB: VHN-147776

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortios	scope:	gte	version:	6.2.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lte	version:	5.6.9	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lt	version:	6.0.9	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lt	version:	6.2.3	Trust: 1.0
vendor:	fortinet	model:	fortios	scope:	lte	version:	6.2.1	Trust: 0.8

sources: JVNDB: JVNDB-2019-011503 // NVD: CVE-2019-15703

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15703
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-15703
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201910-1251
value:	HIGH
Trust: 0.6
VULHUB:	VHN-147776
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-15703
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-147776
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-15703
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-15703
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-147776 // JVNDB: JVNDB-2019-011503 // CNNVD: CNNVD-201910-1251 // NVD: CVE-2019-15703

PROBLEMTYPE DATA

problemtype:

CWE-331

Trust: 1.9

sources: VULHUB: VHN-147776 // JVNDB: JVNDB-2019-011503 // NVD: CVE-2019-15703

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1251

TYPE

security feature problem

Trust: 0.6

sources: CNNVD: CNNVD-201910-1251

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011503

PATCH

title:	FG-IR-19-186	url:	https://fortiguard.com/psirt/FG-IR-19-186	Trust: 0.8
title:	Fortinet FortiOS Fixing measures for security feature vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=101614	Trust: 0.6

sources: JVNDB: JVNDB-2019-011503 // CNNVD: CNNVD-201910-1251

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15703	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-011503	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-1251	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3915.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.3915	Trust: 0.6
db:	VULHUB	id:	VHN-147776	Trust: 0.1

sources: VULHUB: VHN-147776 // JVNDB: JVNDB-2019-011503 // CNNVD: CNNVD-201910-1251 // NVD: CVE-2019-15703

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-19-186	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15703	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15703	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.3915/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3915.2/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/fortios-information-disclosure-via-drbg-unsufficient-entropy-30682	Trust: 0.6

sources: VULHUB: VHN-147776 // JVNDB: JVNDB-2019-011503 // CNNVD: CNNVD-201910-1251 // NVD: CVE-2019-15703

CREDITS

Shaanan Cohney of the University of Pennsylvania

Trust: 0.6

sources: CNNVD: CNNVD-201910-1251

SOURCES

db:	VULHUB	id:	VHN-147776
db:	JVNDB	id:	JVNDB-2019-011503
db:	CNNVD	id:	CNNVD-201910-1251
db:	NVD	id:	CVE-2019-15703

LAST UPDATE DATE

2024-08-14T14:51:01.972000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-147776	date:	2020-03-30T00:00:00
db:	JVNDB	id:	JVNDB-2019-011503	date:	2019-11-11T00:00:00
db:	CNNVD	id:	CNNVD-201910-1251	date:	2020-03-31T00:00:00
db:	NVD	id:	CVE-2019-15703	date:	2022-03-31T17:53:21.813

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-147776	date:	2019-10-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-011503	date:	2019-11-11T00:00:00
db:	CNNVD	id:	CNNVD-201910-1251	date:	2019-10-21T00:00:00
db:	NVD	id:	CVE-2019-15703	date:	2019-10-24T14:15:11.003