ID

VAR-202006-1549


CVE

CVE-2020-9289


TITLE

FortiManager Vulnerability in using hard-coded credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006884

DESCRIPTION

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key. FortiManager Contains a vulnerability in the use of hard-coded credentials.Information may be obtained. Both Fortinet FortiManager and Fortinet FortiAnalyzer are products of Fortinet. Fortinet FortiManager is a centralized network security management platform. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management. Fortinet FortiAnalyzer is a centralized network security reporting solution. This product is mainly used to collect network log data, and analyze, report, and archive the security events, network traffic, and Web content in the logs through the report suite

Trust: 1.8

sources: NVD: CVE-2020-9289 // JVNDB: JVNDB-2020-006884 // VULHUB: VHN-187414 // VULMON: CVE-2020-9289

AFFECTED PRODUCTS

vendor:fortinetmodel:fortianalyzerscope:lteversion:6.2.3

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:lteversion:6.2.3

Trust: 1.0

vendor:fortinetmodel:fortimanagerscope:eqversion:6.2.3

Trust: 0.8

sources: JVNDB: JVNDB-2020-006884 // NVD: CVE-2020-9289

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9289
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-006884
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202006-994
value: HIGH

Trust: 0.6

VULHUB: VHN-187414
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-9289
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9289
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-006884
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-187414
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9289
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006884
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-187414 // VULMON: CVE-2020-9289 // JVNDB: JVNDB-2020-006884 // CNNVD: CNNVD-202006-994 // NVD: CVE-2020-9289

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-187414 // JVNDB: JVNDB-2020-006884 // NVD: CVE-2020-9289

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-994

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202006-994

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006884

PATCH

title:FG-IR-19-007url:https://fortiguard.com/psirt/FG-IR-19-007

Trust: 0.8

title:Fortinet FortiManager and FortiAnalyzer Repair measures for trust management problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124852

Trust: 0.6

title: - url:https://github.com/Live-Hack-CVE/CVE-2020-9289

Trust: 0.1

title: - url:https://github.com/synacktiv/CVE-2020-9289

Trust: 0.1

sources: VULMON: CVE-2020-9289 // JVNDB: JVNDB-2020-006884 // CNNVD: CNNVD-202006-994

EXTERNAL IDS

db:NVDid:CVE-2020-9289

Trust: 2.6

db:JVNDBid:JVNDB-2020-006884

Trust: 0.8

db:CNNVDid:CNNVD-202006-994

Trust: 0.7

db:AUSCERTid:ESB-2019.4387.3

Trust: 0.6

db:CNVDid:CNVD-2020-33243

Trust: 0.1

db:VULHUBid:VHN-187414

Trust: 0.1

db:VULMONid:CVE-2020-9289

Trust: 0.1

sources: VULHUB: VHN-187414 // VULMON: CVE-2020-9289 // JVNDB: JVNDB-2020-006884 // CNNVD: CNNVD-202006-994 // NVD: CVE-2020-9289

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-19-007

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-9289

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9289

Trust: 0.8

url:https://vigilance.fr/vulnerability/fortimanager-information-disclosure-via-hard-coded-cryptographic-key-32531

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.4387.3/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/798.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2020-9289

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-187414 // VULMON: CVE-2020-9289 // JVNDB: JVNDB-2020-006884 // CNNVD: CNNVD-202006-994 // NVD: CVE-2020-9289

CREDITS

Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev

Trust: 0.6

sources: CNNVD: CNNVD-202006-994

SOURCES

db:VULHUBid:VHN-187414
db:VULMONid:CVE-2020-9289
db:JVNDBid:JVNDB-2020-006884
db:CNNVDid:CNNVD-202006-994
db:NVDid:CVE-2020-9289

LAST UPDATE DATE

2024-08-14T13:44:36.696000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-187414date:2022-10-06T00:00:00
db:VULMONid:CVE-2020-9289date:2022-10-06T00:00:00
db:JVNDBid:JVNDB-2020-006884date:2020-07-22T00:00:00
db:CNNVDid:CNNVD-202006-994date:2020-07-27T00:00:00
db:NVDid:CVE-2020-9289date:2022-10-06T23:59:27.180

SOURCES RELEASE DATE

db:VULHUBid:VHN-187414date:2020-06-16T00:00:00
db:VULMONid:CVE-2020-9289date:2020-06-16T00:00:00
db:JVNDBid:JVNDB-2020-006884date:2020-07-22T00:00:00
db:CNNVDid:CNNVD-202006-994date:2020-06-12T00:00:00
db:NVDid:CVE-2020-9289date:2020-06-16T21:15:11.470