ID

VAR-202210-0435


CVE

CVE-2021-44171


TITLE

fortinet's  FortiOS  In  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-020385

DESCRIPTION

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.8, FortiOS version 7.0.0 through 7.0.3 allows attacker to execute privileged commands on a linked FortiSwitch via diagnostic CLI commands. fortinet's FortiOS for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. Fortinet FortiOS has a security vulnerability that stems from improper neutralization of special elements used. An attacker could exploit this vulnerability to execute privileged commands on a linked FortiSwitch. The following products and versions are affected: Fortinet FortiOS 6.0.0 to 6.0.14, 6.2.0 to 6.2.10, 6.4.0 to 6.4.8, 7.0.0 to 7.0.3

Trust: 1.71

sources: NVD: CVE-2021-44171 // JVNDB: JVNDB-2021-020385 // VULHUB: VHN-406778

AFFECTED PRODUCTS

vendor:fortinetmodel:fortiosscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.2.10

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.4.8

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:6.0.14

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortiosscope:lteversion:7.0.3

Trust: 1.0

vendor:fortinetmodel:fortiosscope:gteversion:7.0.0

Trust: 1.0

vendor:フォーティネットmodel:fortiosscope:eqversion:7.0.0 to 7.0.3

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:6.2.0 to 6.2.10

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:6.4.0 to 6.4.8

Trust: 0.8

vendor:フォーティネットmodel:fortiosscope:eqversion:6.0.0 to 6.0.14

Trust: 0.8

sources: JVNDB: JVNDB-2021-020385 // NVD: CVE-2021-44171

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-44171
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2021-44171
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-44171
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202210-361
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2021-44171
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2021-44171
baseSeverity: CRITICAL
baseScore: 9.0
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.3
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-44171
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-020385 // CNNVD: CNNVD-202210-361 // NVD: CVE-2021-44171 // NVD: CVE-2021-44171

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-406778 // JVNDB: JVNDB-2021-020385 // NVD: CVE-2021-44171

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202210-361

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202210-361

PATCH

title:FG-IR-21-242url:https://fortiguard.com/psirt/FG-IR-21-242

Trust: 0.8

title:Fortinet FortiOS Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=210015

Trust: 0.6

sources: JVNDB: JVNDB-2021-020385 // CNNVD: CNNVD-202210-361

EXTERNAL IDS

db:NVDid:CVE-2021-44171

Trust: 3.3

db:JVNDBid:JVNDB-2021-020385

Trust: 0.8

db:CNNVDid:CNNVD-202210-361

Trust: 0.7

db:VULHUBid:VHN-406778

Trust: 0.1

sources: VULHUB: VHN-406778 // JVNDB: JVNDB-2021-020385 // CNNVD: CNNVD-202210-361 // NVD: CVE-2021-44171

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-21-242

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-44171

Trust: 0.8

url:https://vigilance.fr/vulnerability/fortinet-fortios-privilege-escalation-via-switch-control-cli-command-39499

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-44171/

Trust: 0.6

sources: VULHUB: VHN-406778 // JVNDB: JVNDB-2021-020385 // CNNVD: CNNVD-202210-361 // NVD: CVE-2021-44171

SOURCES

db:VULHUBid:VHN-406778
db:JVNDBid:JVNDB-2021-020385
db:CNNVDid:CNNVD-202210-361
db:NVDid:CVE-2021-44171

LAST UPDATE DATE

2024-08-14T14:49:32.891000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-406778date:2022-10-12T00:00:00
db:JVNDBid:JVNDB-2021-020385date:2023-10-24T02:30:00
db:CNNVDid:CNNVD-202210-361date:2022-10-13T00:00:00
db:NVDid:CVE-2021-44171date:2022-10-12T18:45:20.117

SOURCES RELEASE DATE

db:VULHUBid:VHN-406778date:2022-10-10T00:00:00
db:JVNDBid:JVNDB-2021-020385date:2023-10-24T00:00:00
db:CNNVDid:CNNVD-202210-361date:2022-10-10T00:00:00
db:NVDid:CVE-2021-44171date:2022-10-10T14:15:09.650