search menu icon-carat-right cmu-wordmark

CERT Coordination Center

FortiNet FortiGate and FortiWiFi appliances contain multiple vulnerabilities

Vulnerability Note VU#730964

Original Release Date: 2014-09-19 | Last Revised: 2014-09-19

Overview

Fortinet FortiGate and FortiWiFi appliances are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122).

Description

Fortinet FortiGate and FortiWiFi 4.00.6 and possibly earlier versions are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122). The vulnerabilities exist in the FortiManager service running on TCP port 541.

CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') - CVE-2014-0351
The FortiManager remote service relies on client-side SSL certificates to encrypt traffic between the client and server. It is possible for a client to specify the SSL cipher suite to use for the connection, including a cipher suite that does not use certificates for authentication, such as ADH-AES256-SHA. This could allow an adjacent unprivileged attacker to man-in-the-middle communications between the client and FortiManager service.

CWE-122: Heap-based Buffer Overflow - CVE-2014-2216
The FortiManager remote service uses a protocol with a message format that will allocate space for eight argument pointers on the heap. However, when parsing the message format an arbitrary number of argument pointers are accepted. This can cause a heap-based buffer overflow. A remote, unprivileged attacker may be able to exploit this vulnerability to run arbitrary code on the appliance.

The CVSS score reflects CVE-2014-2216.

Impact

A remote unauthenticated attacker may be able to man-in-the-middle traffic between the client and FortiManager service or execute arbitrary code on the appliance.

Solution

Fortinet recommends upgrading to FortiOS 4.3.16, 5.0.8, or 5.2.0 to receive the patch. Additionally, please consider the following workaround.

Disable the remote management service

The FortiManager remote service that runs on port 541 can be disabled.

Vendor Information

730964
 
Affected   Unknown   Unaffected

Fortinet, Inc.

Updated:  April 10, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Recurity

Notified:  May 07, 2014 Updated:  May 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References


    CVSS Metrics

    Group Score Vector
    Base 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
    Temporal 3.8 E:U/RL:OF/RC:C
    Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

    References

    Acknowledgements

    Thanks to Gregor Kopf of Recurity Labs GmbH for reporting this vulnerability.

    This document was written by Jared Allar and Todd Lewellen.

    Other Information

    CVE IDs: CVE-2014-0351, CVE-2014-2216
    Date Public: 2014-08-19
    Date First Published: 2014-09-19
    Date Last Updated: 2014-09-19 16:05 UTC
    Document Revision: 27

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.