Details of VAR-202006-0750

ID

VAR-202006-0750

CVE

CVE-2019-16150

TITLE

Windows for FortiClient Vulnerability in using hard-coded credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2019-015639

DESCRIPTION

Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded key. Windows for FortiClient Contains a vulnerability in the use of hard-coded credentials.Information may be obtained. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. There is a security vulnerability in Fortinet FortiClient versions earlier than 6.4.0 based on the Windows platform. An attacker could exploit this vulnerability to decrypt sensitive information

Trust: 1.71

sources: NVD: CVE-2019-16150 // JVNDB: JVNDB-2019-015639 // VULHUB: VHN-148268

AFFECTED PRODUCTS

vendor:	fortinet	model:	forticlient	scope:	lt	version:	6.4.0	Trust: 1.0
vendor:	fortinet	model:	forticlient	scope:	eq	version:	6.4.0	Trust: 0.8

sources: JVNDB: JVNDB-2019-015639 // NVD: CVE-2019-16150

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-16150
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2019-015639
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202006-144
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-148268
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-16150
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-015639
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-148268
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-16150
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-015639
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-148268 // JVNDB: JVNDB-2019-015639 // CNNVD: CNNVD-202006-144 // NVD: CVE-2019-16150

PROBLEMTYPE DATA

problemtype:

CWE-798

Trust: 1.9

sources: VULHUB: VHN-148268 // JVNDB: JVNDB-2019-015639 // NVD: CVE-2019-16150

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202006-144

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202006-144

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-015639

PATCH

title:	FG-IR-19-194	url:	https://fortiguard.com/psirt/FG-IR-19-194	Trust: 0.8
title:	Fortinet FortiClient Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=121037	Trust: 0.6

sources: JVNDB: JVNDB-2019-015639 // CNNVD: CNNVD-202006-144

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16150	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-015639	Trust: 0.8
db:	CNNVD	id:	CNNVD-202006-144	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.1916	Trust: 0.6
db:	CNVD	id:	CNVD-2020-37945	Trust: 0.1
db:	VULHUB	id:	VHN-148268	Trust: 0.1

sources: VULHUB: VHN-148268 // JVNDB: JVNDB-2019-015639 // CNNVD: CNNVD-202006-144 // NVD: CVE-2019-16150

REFERENCES

url:	https://fortiguard.com/psirt/fg-ir-19-194	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16150	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-16150	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.1916/	Trust: 0.6
url:	https://media.cert.europa.eu/static/securityadvisories/2020/cert-eu-sa2020-029.pdf	Trust: 0.6
url:	https://vigilance.fr/vulnerability/forticlient-for-windows-information-disclosure-via-hard-coded-cryptographic-key-32370	Trust: 0.6

sources: VULHUB: VHN-148268 // JVNDB: JVNDB-2019-015639 // CNNVD: CNNVD-202006-144 // NVD: CVE-2019-16150

CREDITS

Gregory Draperi

Trust: 0.6

sources: CNNVD: CNNVD-202006-144

SOURCES

db:	VULHUB	id:	VHN-148268
db:	JVNDB	id:	JVNDB-2019-015639
db:	CNNVD	id:	CNNVD-202006-144
db:	NVD	id:	CVE-2019-16150

LAST UPDATE DATE

2024-11-23T22:21:10.417000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148268	date:	2020-06-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-015639	date:	2020-07-01T00:00:00
db:	CNNVD	id:	CNNVD-202006-144	date:	2020-06-10T00:00:00
db:	NVD	id:	CVE-2019-16150	date:	2024-11-21T04:30:09.220

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148268	date:	2020-06-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-015639	date:	2020-07-01T00:00:00
db:	CNNVD	id:	CNNVD-202006-144	date:	2020-06-02T00:00:00
db:	NVD	id:	CVE-2019-16150	date:	2020-06-04T13:15:10.757