{"vuid":"VU#730964","idnumber":"730964","name":"FortiNet FortiGate and FortiWiFi appliances contain multiple vulnerabilities","keywords":["fortinet","fortigate","fortiwifi","ssl","heap","overflow","mitm"],"overview":"Fortinet FortiGate and FortiWiFi appliances are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122).","clean_desc":"Fortinet FortiGate and FortiWiFi 4.00.6 and possibly earlier versions are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122). The vulnerabilities exist in the FortiManager service running on TCP port 541. CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') - CVE-2014-0351\nThe FortiManager remote service relies on client-side SSL certificates to encrypt traffic between the client and server. It is possible for a client to specify the SSL cipher suite to use for the connection, including a cipher suite that does not use certificates for authentication, such as ADH-AES256-SHA. This could allow an adjacent unprivileged attacker to man-in-the-middle communications between the client and FortiManager service. CWE-122: Heap-based Buffer Overflow - CVE-2014-2216\nThe FortiManager remote service uses a protocol with a message format that will allocate space for eight argument pointers on the heap. However, when parsing the message format an arbitrary number of argument pointers are accepted. This can cause a heap-based buffer overflow. A remote, unprivileged attacker may be able to exploit this vulnerability to run arbitrary code on the appliance. The CVSS score reflects CVE-2014-2216.","impact":"A remote unauthenticated attacker may be able to man-in-the-middle traffic between the client and FortiManager service or execute arbitrary code on the appliance.","resolution":"Fortinet recommends upgrading to FortiOS 4.3.16, 5.0.8, or 5.2.0 to receive the patch. Additionally, please consider the following workaround.","workarounds":"Disable the remote management service The FortiManager remote service that runs on port 541 can be disabled.","sysaffected":"","thanks":"Thanks to Gregor Kopf of Recurity Labs GmbH for reporting this vulnerability.","author":"This document was written by Jared Allar and Todd Lewellen.","public":["https://cwe.mitre.org/data/definitions/122.html","https://cwe.mitre.org/data/definitions/300.html","http://www.fortiguard.com/advisory/FG-IR-14-006/"],"cveids":["CVE-2014-0351","CVE-2014-2216"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-04-04T17:08:38Z","publicdate":"2014-08-19T00:00:00Z","datefirstpublished":"2014-09-19T16:04:59Z","dateupdated":"2014-09-19T16:05:05Z","revision":29,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"tcp","cvss_accessvector":"N","cvss_accesscomplexity":"H","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"5.1","cvss_basevector":"AV:N/AC:H/Au:N/C:P/I:P/A:P","cvss_temporalscore":"3.8","cvss_environmentalscore":"0.942917144012156","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}