cvelistv5 - CVE-2015-4077

CVE-2015-4077 (GCVE-0-2015-4077)

Vulnerability from cvelistv5 – Published: 2015-09-03 14:00 – Updated: 2024-08-06 06:04

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.coresecurity.com/advisories/forticlien…	x_refsource_MISC
	http://packetstormsecurity.com/files/133398/Forti…	x_refsource_MISC
	https://www.exploit-db.com/exploits/45149/	exploitx_refsource_EXPLOIT-DB
	http://www.securitytracker.com/id/1033439	vdb-entryx_refsource_SECTRACK
	http://www.fortiguard.com/advisory/mulitple-vulne…	x_refsource_CONFIRM
	http://www.securityfocus.com/archive/1/536369/100…	mailing-listx_refsource_BUGTRAQ
	http://fortiguard.com/advisory/mulitple-vulnerabi…	x_refsource_CONFIRM
	http://seclists.org/fulldisclosure/2015/Sep/0	mailing-listx_refsource_FULLDISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:04:02.679Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html"
          },
          {
            "name": "45149",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/45149/"
          },
          {
            "name": "1033439",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1033439"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
          },
          {
            "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
          },
          {
            "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2015/Sep/0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-09-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html"
        },
        {
          "name": "45149",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/45149/"
        },
        {
          "name": "1033439",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1033439"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
        },
        {
          "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
        },
        {
          "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2015/Sep/0"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-4077",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities",
              "refsource": "MISC",
              "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
            },
            {
              "name": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html"
            },
            {
              "name": "45149",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/45149/"
            },
            {
              "name": "1033439",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1033439"
            },
            {
              "name": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient",
              "refsource": "CONFIRM",
              "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
            },
            {
              "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
            },
            {
              "name": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient",
              "refsource": "CONFIRM",
              "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
            },
            {
              "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2015/Sep/0"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-4077",
    "datePublished": "2015-09-03T14:00:00",
    "dateReserved": "2015-05-22T00:00:00",
    "dateUpdated": "2024-08-06T06:04:02.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"5.2.3\", \"matchCriteriaId\": \"7123E6A7-54BE-4406-9B1A-EF3E5B367601\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.\"}, {\"lang\": \"es\", \"value\": \"Los controladores (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys y (4) mdare64_52.sys en Fortinet FortiClient en versiones anteriores a 5.2.4 permiten a usuarios locales leer memoria del kernel arbitraria a trav\\u00e9s de una llamada ioctl 0x22608C.\"}]",
      "id": "CVE-2015-4077",
      "lastModified": "2024-11-21T02:30:24.980",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2015-09-03T14:59:00.163",
      "references": "[{\"url\": \"http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://seclists.org/fulldisclosure/2015/Sep/0\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/archive/1/536369/100/0/threaded\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securitytracker.com/id/1033439\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.exploit-db.com/exploits/45149/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://seclists.org/fulldisclosure/2015/Sep/0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/archive/1/536369/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1033439\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.exploit-db.com/exploits/45149/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2015-4077\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2015-09-03T14:59:00.163\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.\"},{\"lang\":\"es\",\"value\":\"Los controladores (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys y (4) mdare64_52.sys en Fortinet FortiClient en versiones anteriores a 5.2.4 permiten a usuarios locales leer memoria del kernel arbitraria a trav\u00e9s de una llamada ioctl 0x22608C.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.2.3\",\"matchCriteriaId\":\"7123E6A7-54BE-4406-9B1A-EF3E5B367601\"}]}]}],\"references\":[{\"url\":\"http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://seclists.org/fulldisclosure/2015/Sep/0\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/archive/1/536369/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1033439\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.exploit-db.com/exploits/45149/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2015/Sep/0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/archive/1/536369/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1033439\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.exploit-db.com/exploits/45149/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

VAR-201509-0441

Vulnerability from variot - Updated: 2023-12-18 12:37

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call. Fortinet FortiClient is prone to multiple local information-disclosure vulnerabilities. Local attackers can exploit these issues to cause a kernel memory leak to obtain sensitive information that may lead to further attacks. Fortinet FortiClient 5.2.3.633 is vulnerable; other versions may also be affected. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. 1. Advisory Information

Title: FortiClient Antivirus Multiple Vulnerabilities Advisory ID: CORE-2015-0013 Advisory URL: http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities Date published: 2015-09-01 Date of last update: 2015-09-01 Vendors contacted: Fortinet Release mode: Coordinated release

Vulnerability Information

Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], Exposed Dangerous Method or Function [CWE-749], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737

Vulnerability Description

Fortinet FortiClient [1] extends the power of FortiGate's Unified threat management to endpoints on your network. Desktops, laptops, tablets and smartphones, FortiClient enables every device - local or remote, stationary or mobile - to integrate with your FortiGate. With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users and guests can work efficiently anywhere, without compromising your security.

FortiClient drivers are prone to multiple attacks and expose a wide surface that allows users to easily get SYSTEM privileges.

Vendor Information, Solutions and Workarounds

Fortinet released an updated version of FortiClient 5.2.4.0650 [2] that fixes the reported issues.

Credits

These vulnerabilities were discovered and researched by Enrique Nissim from Core Security's Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team.

Technical Description / Proof of Concept Code

[CVE-2015-4077] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys".

[CVE-2015-5735] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys".

[CVE-2015-5736] The vulnerability lies in "Fortishield.sys", which is a minifilter filesystem driver that hooks filesystem operations. IOCTL 0x220024 and 0x220028 both allow establishing callbacks that will be called during any IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. Consequently, any user in the system can set an arbitrary function as a callback and execute code with kernel privileges.

[CVE-2015-5737] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys", "mdare64_52.sys" and "Fortishield.sys". All of these drivers expose an API to manage processes and the Windows registry. For instance, the IOCTL 0x2220c8 of the "mdareXX_XX.sys" driver returns a full privileged handle to a given process PID. This same function is replicated inside "Fortishield.sys".

Report Timeline

2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publication date set for July 27th, 2015. 2015-06-30: Fortinet replied that they received Core Security's email and that they would like to receive the draft version of the advisory. 2015-07-01: Core Security sent Fortinet the draft version of the advisory and requested a tentative schedule for releasing the updates. 2015-07-01: Fortinet replied that they received the draft version of the advisory and that they would review it. 2015-07-15: Core Security requested an update from Fortinet regarding the reported vulnerabilities and a tentative schedule. 2015-07-19: Fortinet replied and confirmed the reported bugs, but stated that they were only able to trigger them with administrative privileges. They requested a PoC from Core Security. 2015-07-20: Core Security replied, explaining to Fortinet that they were able to trigger the vulnerabilities as a non-privileged user. They sent Fortinet a PoC code that opens a handle with read/write permissions to LSASS process and then uses it to allocate memory in its virtual address space. 2015-07-20: Fortinet replied that they would review the PoC. 2015-07-20: Fortinet asked if Core Security researchers could review an interim build when available. 2015-07-21: Core Security confirmed that they would be willing to review an interim build when available. 2015-08-03: Core Security requested an update from Fortinet regarding the availability of the interim build, and asked if there was a specific date Fortinet was planning to release the fix. 2015-08-04: Fortinet replied that their current release date was August 17. 2015-08-05: Fortinet updated the schedule, explaining that the interim build wouldn't include the MDARE fixes therefore delaying the release until the end of August. 2015-08-07: Core Security asked Fortinet if the interim build was going to be published by Fortinet, because if so, that would force Core Security to publish their findings as well. If that wasn't the case, Core Security recommended publishing everything together later that month. 2015-08-07: Fortinet replied that the interim build was private and therefore there wasn't a need to publish ahead of schedule. 2015-08-10: Fortinet sent Core Security a link to download the interim build and requested feedback. 2015-08-10: Core Security replied that they received and downloaded the interim build and would send feedback. Additionally, Core Security requested an updated ETA. 2015-08-18: Core Security requested the specific date Fortinet would release the patched version of their product so they could schedule their security advisory publication accordingly. 2015-08-20: Core Security again requested for a specific date for the publication of the updates and informed Fortinet them that if they didn't receive and answer in the following days they would be forced to schedule the advisory publication. 2015-08-20: Fortinet replied that the scheduled release date for the updated version of FortiClient was August 31. They asked if they had an opportunity to review the interim build andif they had any feedback. 2015-08-24: Core Security replied that they were able to review the interim build and that they could confirm that those bugs were no longer exploitable.Core Security requested and updated ETA of the updated version. 2015-08-24: Fortinet replied that the scheduled release seemed to be confirmed and that the estimated time of availability would be roughly 5 p.m. Pacific Time. 9. References

[1] http://www.forticlient.com/. [2] http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf.

About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

About Core Security

Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

Disclaimer

The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201509-0441",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "forticlient",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "fortinet",
        "version": "5.2.3"
      },
      {
        "model": "forticlient",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "fortinet",
        "version": "5.2.4"
      },
      {
        "model": "forticlient",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "fortinet",
        "version": "5.2.3"
      },
      {
        "model": "forticlient",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.2.3.633"
      },
      {
        "model": "forticlient",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "fortinet",
        "version": "5.2.4.0650"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "76541"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-4077"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.2.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2015-4077"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Enrique Nissim from Core Security\u0027s Consulting Team",
    "sources": [
      {
        "db": "BID",
        "id": "76541"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2015-4077",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 2.1,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2015-4077",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "id": "VHN-82038",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "LOW",
            "trust": 0.1,
            "vectorString": "AV:L/AC:L/AU:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2015-4077",
            "trust": 1.8,
            "value": "LOW"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201509-017",
            "trust": 0.6,
            "value": "LOW"
          },
          {
            "author": "VULHUB",
            "id": "VHN-82038",
            "trust": 0.1,
            "value": "LOW"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-82038"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-4077"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call. Fortinet FortiClient is prone to multiple local information-disclosure vulnerabilities. \nLocal attackers can exploit these issues to cause a kernel memory leak to  obtain sensitive information that may lead to further attacks. \nFortinet FortiClient 5.2.3.633 is vulnerable; other versions may also be affected. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances. 1. Advisory Information\n\nTitle: FortiClient Antivirus Multiple Vulnerabilities\nAdvisory ID: CORE-2015-0013\nAdvisory URL: http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities\nDate published: 2015-09-01\nDate of last update: 2015-09-01\nVendors contacted: Fortinet\nRelease mode: Coordinated release\n\n\n2. Vulnerability Information\n\nClass: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], Exposed Dangerous Method or Function [CWE-749], Exposed IOCTL with Insufficient Access Control [CWE-782]\nImpact: Code execution\nRemotely Exploitable: No\nLocally Exploitable: Yes\nCVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737\n\n\n\n3. Vulnerability Description\n\nFortinet FortiClient [1] extends the power of FortiGate\u0027s Unified threat management to endpoints on your network. Desktops, laptops, tablets and smartphones, FortiClient enables every device - local or remote, stationary or mobile - to integrate with your FortiGate. With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users and guests can work efficiently anywhere, without compromising your security. \n\nFortiClient drivers are prone to multiple attacks and expose a wide surface that allows users to easily get SYSTEM privileges. \n\n\n4. \n\n\n5. Vendor Information, Solutions and Workarounds\n\nFortinet released an updated version of FortiClient 5.2.4.0650 [2] that fixes the reported issues. \n\n\n6. Credits\n\nThese vulnerabilities were discovered and researched by Enrique Nissim from Core Security\u0027s Consulting Team. The publication of this advisory was coordinated by Joaqu\u00edn Rodr\u00edguez Varela from Core Security\u0027s Advisories Team. \n\n\n\n7. Technical Description / Proof of Concept Code\n\n[CVE-2015-4077] The vulnerability lies in the drivers \"mdare64_48.sys\", \"mdare32_48.sys\", \"mdare32_52.sys\" and \"mdare64_52.sys\". \n\n[CVE-2015-5735] The vulnerability lies in the drivers \"mdare64_48.sys\", \"mdare32_48.sys\", \"mdare32_52.sys\" and \"mdare64_52.sys\". \n\n[CVE-2015-5736] The vulnerability lies in \"Fortishield.sys\", which is a minifilter filesystem driver that hooks filesystem operations. IOCTL 0x220024 and 0x220028 both allow establishing callbacks that will be called during any IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. Consequently, any user in the system can set an arbitrary function as a callback and execute code with kernel privileges. \n\n[CVE-2015-5737] The vulnerability lies in the drivers \"mdare64_48.sys\", \"mdare32_48.sys\", \"mdare32_52.sys\", \"mdare64_52.sys\" and \"Fortishield.sys\". All of these drivers expose an API to manage processes and the Windows registry. For instance, the IOCTL 0x2220c8 of the \"mdareXX_XX.sys\" driver returns a full privileged handle to a given process PID. This same function is replicated inside \"Fortishield.sys\". \n\n\n\n8. Report Timeline\n\n2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publication date set for July 27th, 2015. \n2015-06-30: Fortinet replied that they received Core Security\u0027s email and that they would like to receive the draft version of the advisory. \n2015-07-01: Core Security sent Fortinet the draft version of the advisory and requested a tentative schedule for releasing the updates. \n2015-07-01: Fortinet replied that they received the draft version of the advisory and that they would review it. \n2015-07-15: Core Security requested an update from Fortinet regarding the reported vulnerabilities and a tentative schedule. \n2015-07-19: Fortinet replied and confirmed the reported bugs, but stated that they were only able to trigger them with administrative privileges. They requested a PoC from Core Security. \n2015-07-20: Core Security replied, explaining to Fortinet that they were able to trigger the vulnerabilities as a non-privileged user. They sent Fortinet a PoC code that opens a handle with read/write permissions to LSASS process and then uses it to allocate memory in its virtual address space. \n2015-07-20: Fortinet replied that they would review the PoC. \n2015-07-20: Fortinet asked if Core Security researchers could review an interim build when available. \n2015-07-21: Core Security confirmed that they would be willing to review an interim build when available. \n2015-08-03: Core Security requested an update from Fortinet regarding the availability of the interim build, and asked if there was a specific date Fortinet was planning to release the fix. \n2015-08-04: Fortinet replied that their current release date was August 17. \n2015-08-05: Fortinet updated the schedule, explaining that the interim build wouldn\u0027t include the MDARE fixes therefore delaying the release until the end of August. \n2015-08-07: Core Security asked Fortinet if the interim build was going to be published by Fortinet, because if so, that would force Core Security to publish their findings as well. If that wasn\u0027t the case, Core Security recommended publishing everything together later that month. \n2015-08-07: Fortinet replied that the interim build was private and therefore there wasn\u0027t a need to publish ahead of schedule. \n2015-08-10: Fortinet sent Core Security a link to download the interim build and requested feedback. \n2015-08-10: Core Security replied that they received and downloaded the interim build and would send feedback. Additionally, Core Security requested an updated ETA. \n2015-08-18: Core Security requested the specific date Fortinet would release the patched version of their product so they could schedule their security advisory publication accordingly. \n2015-08-20: Core Security again requested for a specific date for the publication of the updates and informed Fortinet them that if they didn\u0027t receive and answer in the following days they would be forced to schedule the advisory publication. \n2015-08-20: Fortinet replied that the scheduled release date for the updated version of FortiClient was August 31. They asked if they had an opportunity to review the interim build andif they had any feedback. \n2015-08-24: Core Security replied that they were able to review the interim build and that they could confirm that those bugs were no longer exploitable.Core Security requested and updated ETA of the updated version. \n2015-08-24: Fortinet replied that the scheduled release seemed to be confirmed and that the estimated time of availability would be roughly 5 p.m. Pacific Time. \n9. References\n\n[1] http://www.forticlient.com/. \n[2] http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf. \n\n\n10. About CoreLabs\n\nCoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. \n\n\n11. About Core Security\n\nCore Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. \n\nCore Security\u0027s software solutions build on over a decade of trusted research and leading threat expertise from the company\u0027s Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. \n\n\n12. Disclaimer\n\nThe contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n13. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2015-4077"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "db": "BID",
        "id": "76541"
      },
      {
        "db": "VULHUB",
        "id": "VHN-82038"
      },
      {
        "db": "PACKETSTORM",
        "id": "133398"
      }
    ],
    "trust": 2.07
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-82038",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-82038"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2015-4077",
        "trust": 2.9
      },
      {
        "db": "SECTRACK",
        "id": "1033439",
        "trust": 1.7
      },
      {
        "db": "PACKETSTORM",
        "id": "133398",
        "trust": 1.2
      },
      {
        "db": "EXPLOIT-DB",
        "id": "45149",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017",
        "trust": 0.7
      },
      {
        "db": "BID",
        "id": "76541",
        "trust": 0.4
      },
      {
        "db": "PACKETSTORM",
        "id": "148811",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-82038",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-82038"
      },
      {
        "db": "BID",
        "id": "76541"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "db": "PACKETSTORM",
        "id": "133398"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-4077"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ]
  },
  "id": "VAR-201509-0441",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-82038"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T12:37:56.186000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Mulitple Vulnerabilities in FortiClient",
        "trust": 0.8,
        "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
      },
      {
        "title": "Fortinet FortiClient Repair measures for information disclosure vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=61016"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-200",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-82038"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-4077"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.1,
        "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
      },
      {
        "trust": 1.7,
        "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
      },
      {
        "trust": 1.7,
        "url": "http://www.securitytracker.com/id/1033439"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
      },
      {
        "trust": 1.1,
        "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
      },
      {
        "trust": 1.1,
        "url": "https://www.exploit-db.com/exploits/45149/"
      },
      {
        "trust": 1.1,
        "url": "http://seclists.org/fulldisclosure/2015/sep/0"
      },
      {
        "trust": 1.1,
        "url": "http://packetstormsecurity.com/files/133398/forticlient-antivirus-information-exposure-access-control.html"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4077"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4077"
      },
      {
        "trust": 0.3,
        "url": "http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf"
      },
      {
        "trust": 0.3,
        "url": "http://www.forticlient.com/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-4077"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
      },
      {
        "trust": 0.1,
        "url": "http://www.forticlient.com/."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-5735"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-5737"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-5736"
      },
      {
        "trust": 0.1,
        "url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
      },
      {
        "trust": 0.1,
        "url": "http://corelabs.coresecurity.com."
      },
      {
        "trust": 0.1,
        "url": "http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf."
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-82038"
      },
      {
        "db": "BID",
        "id": "76541"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "db": "PACKETSTORM",
        "id": "133398"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-4077"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-82038"
      },
      {
        "db": "BID",
        "id": "76541"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "db": "PACKETSTORM",
        "id": "133398"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-4077"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2015-09-03T00:00:00",
        "db": "VULHUB",
        "id": "VHN-82038"
      },
      {
        "date": "2015-09-01T00:00:00",
        "db": "BID",
        "id": "76541"
      },
      {
        "date": "2015-09-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "date": "2015-09-02T06:55:53",
        "db": "PACKETSTORM",
        "id": "133398"
      },
      {
        "date": "2015-09-03T14:59:00.163000",
        "db": "NVD",
        "id": "CVE-2015-4077"
      },
      {
        "date": "2015-09-07T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-82038"
      },
      {
        "date": "2015-09-01T00:00:00",
        "db": "BID",
        "id": "76541"
      },
      {
        "date": "2015-09-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      },
      {
        "date": "2018-10-09T19:57:03.187000",
        "db": "NVD",
        "id": "CVE-2015-4077"
      },
      {
        "date": "2015-09-07T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "76541"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ],
    "trust": 0.9
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Fortinet FortiClient Multiple driver vulnerabilities in arbitrary kernel memory can be read",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004583"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "information disclosure",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201509-017"
      }
    ],
    "trust": 0.6
  }
}

FKIE_CVE-2015-4077

Vulnerability from fkie_nvd - Published: 2015-09-03 14:59 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient
cve@mitre.org	http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html
cve@mitre.org	http://seclists.org/fulldisclosure/2015/Sep/0
cve@mitre.org	http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities	Vendor Advisory
cve@mitre.org	http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient	Vendor Advisory
cve@mitre.org	http://www.securityfocus.com/archive/1/536369/100/0/threaded
cve@mitre.org	http://www.securitytracker.com/id/1033439
cve@mitre.org	https://www.exploit-db.com/exploits/45149/
af854a3a-2127-422b-91ae-364da2661108	http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2015/Sep/0
af854a3a-2127-422b-91ae-364da2661108	http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/536369/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1033439
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/45149/

Impacted products

	Vendor	Product	Version
	fortinet	forticlient	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7123E6A7-54BE-4406-9B1A-EF3E5B367601",
              "versionEndIncluding": "5.2.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call."
    },
    {
      "lang": "es",
      "value": "Los controladores (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys y (4) mdare64_52.sys en Fortinet FortiClient en versiones anteriores a 5.2.4 permiten a usuarios locales leer memoria del kernel arbitraria a trav\u00e9s de una llamada ioctl 0x22608C."
    }
  ],
  "id": "CVE-2015-4077",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2015-09-03T14:59:00.163",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://seclists.org/fulldisclosure/2015/Sep/0"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id/1033439"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.exploit-db.com/exploits/45149/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2015/Sep/0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1033439"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/45149/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-8FJH-3J4G-4F5V

Vulnerability from github – Published: 2022-05-14 02:48 – Updated: 2025-04-12 12:51

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2015-4077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-09-03T14:59:00Z",
    "severity": "LOW"
  },
  "details": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.",
  "id": "GHSA-8fjh-3j4g-4f5v",
  "modified": "2025-04-12T12:51:32Z",
  "published": "2022-05-14T02:48:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4077"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45149"
    },
    {
      "type": "WEB",
      "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2015/Sep/0"
    },
    {
      "type": "WEB",
      "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1033439"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2015-4077

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2015-4077

Aliases

CVE-2015-4077

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-4077",
    "description": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.",
    "id": "GSD-2015-4077",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2015-4077"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-4077"
      ],
      "details": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.",
      "id": "GSD-2015-4077",
      "modified": "2023-12-13T01:19:59.884051Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2015-4077",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities",
            "refsource": "MISC",
            "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
          },
          {
            "name": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html"
          },
          {
            "name": "45149",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/45149/"
          },
          {
            "name": "1033439",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1033439"
          },
          {
            "name": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient",
            "refsource": "CONFIRM",
            "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
          },
          {
            "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
          },
          {
            "name": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient",
            "refsource": "CONFIRM",
            "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
          },
          {
            "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2015/Sep/0"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.2.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-4077"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
            },
            {
              "name": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities"
            },
            {
              "name": "1033439",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1033439"
            },
            {
              "name": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient"
            },
            {
              "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
              "refsource": "FULLDISC",
              "tags": [],
              "url": "http://seclists.org/fulldisclosure/2015/Sep/0"
            },
            {
              "name": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html"
            },
            {
              "name": "45149",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/45149/"
            },
            {
              "name": "20150901 [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/536369/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2018-10-09T19:57Z",
      "publishedDate": "2015-09-03T14:59Z"
    }
  }
}

CNVD-2015-05798

Vulnerability from cnvd - Published: 2015-09-07

Title

Fortinet FortiClient驱动文件泄露漏洞

Description

Fortinet FortiClient是美国飞塔（Fortinet）公司一套终端安全解决方案，为终端用户提供防病毒、加密等服务。 Fortinet FortiClient 5.2.4之前的版本存在驱动文件泄露漏洞，允许本地用户通过0x22608C ioctl调用读任意内核内存。

Severity

低

Patch Name

Fortinet FortiClient驱动文件泄露漏洞的补丁

Patch Description

Fortinet FortiClient是美国飞塔（Fortinet）公司一套终端安全解决方案，为终端用户提供防病毒、加密等服务。 Fortinet FortiClient 5.2.4之前的版本存在驱动文件泄露漏洞，允许本地用户通过0x22608C ioctl调用读任意内核内存。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient

Reference

http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient

Impacted products

Name
Fortinet FortiClient < 5.2.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-4077"
    }
  },
  "description": "Fortinet FortiClient\u662f\u7f8e\u56fd\u98de\u5854\uff08Fortinet\uff09\u516c\u53f8\u4e00\u5957\u7ec8\u7aef\u5b89\u5168\u89e3\u51b3\u65b9\u6848\uff0c\u4e3a\u7ec8\u7aef\u7528\u6237\u63d0\u4f9b\u9632\u75c5\u6bd2\u3001\u52a0\u5bc6\u7b49\u670d\u52a1\u3002\r\n\r\nFortinet FortiClient 5.2.4\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u9a71\u52a8\u6587\u4ef6\u6cc4\u9732\u6f0f\u6d1e\uff0c\u5141\u8bb8\u672c\u5730\u7528\u6237\u901a\u8fc70x22608C ioctl\u8c03\u7528\u8bfb\u4efb\u610f\u5185\u6838\u5185\u5b58\u3002",
  "discovererName": "Enrique Nissim",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-05798",
  "openTime": "2015-09-07",
  "patchDescription": "Fortinet FortiClient\u662f\u7f8e\u56fd\u98de\u5854\uff08Fortinet\uff09\u516c\u53f8\u4e00\u5957\u7ec8\u7aef\u5b89\u5168\u89e3\u51b3\u65b9\u6848\uff0c\u4e3a\u7ec8\u7aef\u7528\u6237\u63d0\u4f9b\u9632\u75c5\u6bd2\u3001\u52a0\u5bc6\u7b49\u670d\u52a1\u3002\r\n\r\nFortinet FortiClient 5.2.4\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u9a71\u52a8\u6587\u4ef6\u6cc4\u9732\u6f0f\u6d1e\uff0c\u5141\u8bb8\u672c\u5730\u7528\u6237\u901a\u8fc70x22608C ioctl\u8c03\u7528\u8bfb\u4efb\u610f\u5185\u6838\u5185\u5b58\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Fortinet FortiClient\u9a71\u52a8\u6587\u4ef6\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Fortinet FortiClient \u003c 5.2.4"
  },
  "referenceLink": "http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient",
  "serverity": "\u4f4e",
  "submitTime": "2015-09-06",
  "title": "Fortinet FortiClient\u9a71\u52a8\u6587\u4ef6\u6cc4\u9732\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-4077 (GCVE-0-2015-4077)

VAR-201509-0441

FKIE_CVE-2015-4077

GHSA-8FJH-3J4G-4F5V

GSD-2015-4077

CNVD-2015-05798

Tags

Sightings

Nomenclature