ID

VAR-202112-0289


CVE

CVE-2021-26110


TITLE

FortiOS autod daemon  and  FortiProxy  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-016016

DESCRIPTION

An improper access control vulnerability [CWE-284] in FortiOS autod daemon 7.0.0, 6.4.6 and below, 6.2.9 and below, 6.0.12 and below and FortiProxy 2.0.1 and below, 1.2.9 and below may allow an authenticated low-privileged attacker to escalate their privileges to super_admin via a specific crafted configuration of fabric automation CLI script and auto-script features. FortiOS autod daemon and FortiProxy Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam

Trust: 1.71

sources: NVD: CVE-2021-26110 // JVNDB: JVNDB-2021-016016 // VULHUB: VHN-385074

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.4.6

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:1.0.7

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:5.6.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.0.12

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:eqversion:2.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:1.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.2.9

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:eqversion:7.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:5.6.14

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:1.1.6

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:eqversion:2.0.1

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:1.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:gteversion:1.1.0

Trust: 1.0

vendor:fortinetmodel:fortiproxyscope:lteversion:1.2.9

Trust: 1.0

vendor:フォーティネットmodel:fortiosscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortiproxyscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-016016 // NVD: CVE-2021-26110

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-26110
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2021-26110
value: HIGH

Trust: 1.0

NVD: CVE-2021-26110
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202112-532
value: HIGH

Trust: 0.6

VULHUB: VHN-385074
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-26110
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-385074
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-26110
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-016016
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-385074 // JVNDB: JVNDB-2021-016016 // CNNVD: CNNVD-202112-532 // NVD: CVE-2021-26110 // NVD: CVE-2021-26110

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-269

Trust: 0.1

sources: VULHUB: VHN-385074 // JVNDB: JVNDB-2021-016016 // NVD: CVE-2021-26110

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202112-532

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202112-532

PATCH

title:FG-IR-20-131url:https://www.fortiguard.com/psirt/FG-IR-20-131

Trust: 0.8

title:Fortinet FortiOS Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=173726

Trust: 0.6

sources: JVNDB: JVNDB-2021-016016 // CNNVD: CNNVD-202112-532

EXTERNAL IDS

db:NVDid:CVE-2021-26110

Trust: 3.3

db:JVNDBid:JVNDB-2021-016016

Trust: 0.8

db:CNNVDid:CNNVD-202112-532

Trust: 0.7

db:AUSCERTid:ESB-2021.4147

Trust: 0.6

db:CS-HELPid:SB2021120717

Trust: 0.6

db:VULHUBid:VHN-385074

Trust: 0.1

sources: VULHUB: VHN-385074 // JVNDB: JVNDB-2021-016016 // CNNVD: CNNVD-202112-532 // NVD: CVE-2021-26110

REFERENCES

url:https://fortiguard.com/advisory/fg-ir-20-131

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-26110

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.4147

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021120717

Trust: 0.6

url:https://vigilance.fr/vulnerability/fortios-privilege-escalation-via-automation-script-feature-37019

Trust: 0.6

sources: VULHUB: VHN-385074 // JVNDB: JVNDB-2021-016016 // CNNVD: CNNVD-202112-532 // NVD: CVE-2021-26110

SOURCES

db:VULHUBid:VHN-385074
db:JVNDBid:JVNDB-2021-016016
db:CNNVDid:CNNVD-202112-532
db:NVDid:CVE-2021-26110

LAST UPDATE DATE

2024-08-14T14:02:55.097000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-385074date:2022-07-12T00:00:00
db:JVNDBid:JVNDB-2021-016016date:2022-12-05T06:46:00
db:CNNVDid:CNNVD-202112-532date:2022-07-14T00:00:00
db:NVDid:CVE-2021-26110date:2022-07-12T17:42:04.277

SOURCES RELEASE DATE

db:VULHUBid:VHN-385074date:2021-12-08T00:00:00
db:JVNDBid:JVNDB-2021-016016date:2022-12-05T00:00:00
db:CNNVDid:CNNVD-202112-532date:2021-12-08T00:00:00
db:NVDid:CVE-2021-26110date:2021-12-08T11:15:11.683