Sign-up

ID

VAR-202006-1549


CVE

CVE-2020-9289


TITLE

FortiManager Vulnerability in using hard-coded credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006884

DESCRIPTION

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key. FortiManager Contains a vulnerability in the use of hard-coded credentials.Information may be obtained. Both Fortinet FortiManager and Fortinet FortiAnalyzer are products of Fortinet. Fortinet FortiManager is a centralized network security management platform. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. Fortinet FortiAnalyzer is a centralized network security reporting solution. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite

Trust: 1.8

sources: NVD: CVE-2020-9289 // JVNDB: JVNDB-2020-006884 // VULHUB: VHN-187414 // VULMON: CVE-2020-9289

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:lteversion:6.2.3

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.2.3

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:eqversion:6.2.3

Trust: 0.8

sources: JVNDB: JVNDB-2020-006884 // NVD: CVE-2020-9289

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9289
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-006884
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202006-994
value: HIGH

Trust: 0.6

VULHUB: VHN-187414
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-9289
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9289
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-006884
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-187414
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9289
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006884
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-187414 // VULMON: CVE-2020-9289 // JVNDB: JVNDB-2020-006884 // CNNVD: CNNVD-202006-994 // NVD: CVE-2020-9289

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-187414 // JVNDB: JVNDB-2020-006884 // NVD: CVE-2020-9289

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-994

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202006-994

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-006884

PATCH
title:FG-IR-19-007url:https://fortiguard.com/psirt/FG-IR-19-007
Trust: 0.8
title:Fortinet FortiManager  and FortiAnalyzer Repair measures for trust management problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124852
Trust: 0.6
title: - url:https://github.com/Live-Hack-CVE/CVE-2020-9289 
Trust: 0.1
title: - url:https://github.com/synacktiv/CVE-2020-9289 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-9289 // 
            
            
            
            JVNDB: JVNDB-2020-006884 // 
            
            
            
            CNNVD: CNNVD-202006-994

EXTERNAL IDS
db:NVDid:CVE-2020-9289
Trust: 2.6
db:JVNDBid:JVNDB-2020-006884
Trust: 0.8
db:CNNVDid:CNNVD-202006-994
Trust: 0.7
db:AUSCERTid:ESB-2019.4387.3
Trust: 0.6
db:CNVDid:CNVD-2020-33243
Trust: 0.1
db:VULHUBid:VHN-187414
Trust: 0.1
db:VULMONid:CVE-2020-9289
Trust: 0.1
sources:
            
            
            VULHUB: VHN-187414 // 
            
            
            
            VULMON: CVE-2020-9289 // 
            
            
            
            JVNDB: JVNDB-2020-006884 // 
            
            
            
            CNNVD: CNNVD-202006-994 // 
            
            
            
            NVD: CVE-2020-9289

REFERENCES
url:https://fortiguard.com/psirt/fg-ir-19-007
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-9289
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9289
Trust: 0.8
url:https://vigilance.fr/vulnerability/fortimanager-information-disclosure-via-hard-coded-cryptographic-key-32531
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.4387.3/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/798.html
Trust: 0.1
url:https://github.com/live-hack-cve/cve-2020-9289
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-187414 // 
            
            
            
            VULMON: CVE-2020-9289 // 
            
            
            
            JVNDB: JVNDB-2020-006884 // 
            
            
            
            CNNVD: CNNVD-202006-994 // 
            
            
            
            NVD: CVE-2020-9289

CREDITS
Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202006-994

SOURCES
db:VULHUBid:VHN-187414
db:VULMONid:CVE-2020-9289
db:JVNDBid:JVNDB-2020-006884
db:CNNVDid:CNNVD-202006-994
db:NVDid:CVE-2020-9289

LAST UPDATE DATE
2024-08-14T13:44:36.696000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-187414date:2022-10-06T00:00:00
db:VULMONid:CVE-2020-9289date:2022-10-06T00:00:00
db:JVNDBid:JVNDB-2020-006884date:2020-07-22T00:00:00
db:CNNVDid:CNNVD-202006-994date:2020-07-27T00:00:00
db:NVDid:CVE-2020-9289date:2022-10-06T23:59:27.180

SOURCES RELEASE DATE
db:VULHUBid:VHN-187414date:2020-06-16T00:00:00
db:VULMONid:CVE-2020-9289date:2020-06-16T00:00:00
db:JVNDBid:JVNDB-2020-006884date:2020-07-22T00:00:00
db:CNNVDid:CNNVD-202006-994date:2020-06-12T00:00:00
db:NVDid:CVE-2020-9289date:2020-06-16T21:15:11.470