Fortinet FortiWAN load balancer appliance contains multiple vulnerabilities
Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016

Overview
The Fortinet FortiWAN (Ascernlink) network load balancer appliance contains multiple vulnerabilities.

Description

According to the reporter, the Fortinet FortiWAN network load balancer appliance contains the following vulnerabilities.

As of publication, CERT/CC has not been able to verify this information with Fortinet.
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – CVE-2016-4965The diagnosis_control.php page is vulnerable to command injection via the “graph” GET parameter.

A non-administrative authenticated attacker having access privileges to the nslookup functionality can inject arbitrary operating system commands and execute them in the context of the root user.CWE-302: Authentication Bypass by Assumed-Immutable Data – CVE-2016-4966The diagnosis_control.php page has a tcpdump function, that can capture FortiWAN data packets and download captured packets to local host for analysis and debug.

A non-administrative authenticated attacker having access privileges to change the HTTP Get param “UserName” to “Administrator” to download a PCAP file of all captured packets from the FortinWAN device since the tcpdump function was activated.CWE-200: Information Exposure – CVE-2016-4967An authenticated but low privileged user may obtain a backup of the device configuration by visiting the URL /script/cfg_show.php of the FortiWAN appliance, or a PCAP of tcpdump data by visiting /script/system/tcpdump.php.CWE-200: Information Exposure – CVE-2016-4968An authenticated but low privileged user may perform a GET request of the /linkreport/tmp/admin_global page of the FortiWAN appliance, and obtain administrator login cookie.CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2016-4969The /script/statistics/getconn.php file’s IP parameter is vulnerable to cross-site scripting.The CVSS score below is based on CVE-2016-4965.

Impact

An authenticated but low-privileged (non-administrator) account may be able to execute OS commands in the root context, capture network traffic through the FortiWAN device, obtain appliance system configuration, or conduct cross-site scripting attacks against administrator users.

Solution

Apply an updateFortinet has released FortiWAN 4.2.5 which addresses CVE-2016-4966 in the changelog.

Affected users are encouraged to update as soon as possible.
It is currently unclear if the remaining vulnerabilities in this Vulnerability Note were also addressed in this release.

Vendor Information (Learn More)
Vendor
Status
Date Notified
Date Updated
Fortinet, Inc.
Affected
14 Jul 2016
06 Sep 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group
Score
Vector
Base
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal
8.0
E:POC/RL:U/RC:UR
Environmental
6.0
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit
Thanks to Virgoteam (Fan-Syun Shih, Kun-Xian Lin, Yu-Chi, and Ding) for reporting these vulnerabilities.
This document was written by Garret Wassermann.

Other Information

Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply