cvelistv5 - cve-2019-15703

CVE-2019-15703 (GCVE-0-2019-15703)

Vulnerability from cvelistv5 – Published: 2019-10-24 13:53 – Updated: 2024-10-25 14:28

Summary

Severity ?

No CVSS data available.

CWE

Information disclosure

Assigner

fortinet

References

URL

Tags

https://fortiguard.com/psirt/FG-IR-19-186

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Fortinet	Fortinet FortiOS	Affected: 6.2.1 Affected: 6.2.0 Affected: 6.0.8 and below

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:56:22.456Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://fortiguard.com/psirt/FG-IR-19-186"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-15703",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-24T20:09:52.556651Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-25T14:28:18.828Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Fortinet FortiOS",
          "vendor": "Fortinet",
          "versions": [
            {
              "status": "affected",
              "version": "6.2.1"
            },
            {
              "status": "affected",
              "version": "6.2.0"
            },
            {
              "status": "affected",
              "version": "6.0.8 and below"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-30T19:12:50",
        "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "shortName": "fortinet"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://fortiguard.com/psirt/FG-IR-19-186"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@fortinet.com",
          "ID": "CVE-2019-15703",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Fortinet FortiOS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.2.1"
                          },
                          {
                            "version_value": "6.2.0"
                          },
                          {
                            "version_value": "6.0.8 and below"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Fortinet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://fortiguard.com/psirt/FG-IR-19-186",
              "refsource": "MISC",
              "url": "https://fortiguard.com/psirt/FG-IR-19-186"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
    "assignerShortName": "fortinet",
    "cveId": "CVE-2019-15703",
    "datePublished": "2019-10-24T13:53:17",
    "dateReserved": "2019-08-27T00:00:00",
    "dateUpdated": "2024-10-25T14:28:18.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"5.6.9\", \"matchCriteriaId\": \"9C424D53-2941-43BA-B4BA-FE6C06B08190\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndExcluding\": \"6.0.9\", \"matchCriteriaId\": \"C2F4F708-941B-4EBD-9DAB-D726887B63DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.2.0\", \"versionEndExcluding\": \"6.2.3\", \"matchCriteriaId\": \"7EE3901A-D32C-44DD-8977-87B4A4B6F3FE\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.\"}, {\"lang\": \"es\", \"value\": \"Una Entrop\\u00eda Insuficiente en la vulnerabilidad del PRNG en Fortinet FortiOS versi\\u00f3n 6.2.1, 6.2.0, 6.0.8 y posteriores, para dispositivos que no habilitan token TRNG de hardware y modelos que no admiten un seed TRNG incorporado permite al atacante recuperar te\\u00f3ricamente el secreto ECDSA a largo plazo en un cliente TLS con un protocolo de enlace RSA y autenticaci\\u00f3n mutua ECDSA mediante la ayuda de los ataques de canal lateral flush+reload solo en los modelos FortiGate VM.\"}]",
      "id": "CVE-2019-15703",
      "lastModified": "2024-11-21T04:29:17.510",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:H/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.6, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"HIGH\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 4.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-10-24T14:15:11.003",
      "references": "[{\"url\": \"https://fortiguard.com/psirt/FG-IR-19-186\", \"source\": \"psirt@fortinet.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://fortiguard.com/psirt/FG-IR-19-186\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "psirt@fortinet.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-331\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-15703\",\"sourceIdentifier\":\"psirt@fortinet.com\",\"published\":\"2019-10-24T14:15:11.003\",\"lastModified\":\"2024-11-21T04:29:17.510\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.\"},{\"lang\":\"es\",\"value\":\"Una Entrop\u00eda Insuficiente en la vulnerabilidad del PRNG en Fortinet FortiOS versi\u00f3n 6.2.1, 6.2.0, 6.0.8 y posteriores, para dispositivos que no habilitan token TRNG de hardware y modelos que no admiten un seed TRNG incorporado permite al atacante recuperar te\u00f3ricamente el secreto ECDSA a largo plazo en un cliente TLS con un protocolo de enlace RSA y autenticaci\u00f3n mutua ECDSA mediante la ayuda de los ataques de canal lateral flush+reload solo en los modelos FortiGate VM.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:N/A:N\",\"baseScore\":2.6,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":4.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-331\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.6.9\",\"matchCriteriaId\":\"9C424D53-2941-43BA-B4BA-FE6C06B08190\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.0.9\",\"matchCriteriaId\":\"C2F4F708-941B-4EBD-9DAB-D726887B63DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2.0\",\"versionEndExcluding\":\"6.2.3\",\"matchCriteriaId\":\"7EE3901A-D32C-44DD-8977-87B4A4B6F3FE\"}]}]}],\"references\":[{\"url\":\"https://fortiguard.com/psirt/FG-IR-19-186\",\"source\":\"psirt@fortinet.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://fortiguard.com/psirt/FG-IR-19-186\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://fortiguard.com/psirt/FG-IR-19-186\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T00:56:22.456Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2019-15703\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-24T20:09:52.556651Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-25T14:17:30.420Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Fortinet\", \"product\": \"Fortinet FortiOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.2.1\"}, {\"status\": \"affected\", \"version\": \"6.2.0\"}, {\"status\": \"affected\", \"version\": \"6.0.8 and below\"}]}], \"references\": [{\"url\": \"https://fortiguard.com/psirt/FG-IR-19-186\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Information disclosure\"}]}], \"providerMetadata\": {\"orgId\": \"6abe59d8-c742-4dff-8ce8-9b0ca1073da8\", \"shortName\": \"fortinet\", \"dateUpdated\": \"2020-03-30T19:12:50\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"6.2.1\"}, {\"version_value\": \"6.2.0\"}, {\"version_value\": \"6.0.8 and below\"}]}, \"product_name\": \"Fortinet FortiOS\"}]}, \"vendor_name\": \"Fortinet\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://fortiguard.com/psirt/FG-IR-19-186\", \"name\": \"https://fortiguard.com/psirt/FG-IR-19-186\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Information disclosure\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2019-15703\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"psirt@fortinet.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2019-15703\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-25T14:28:18.828Z\", \"dateReserved\": \"2019-08-27T00:00:00\", \"assignerOrgId\": \"6abe59d8-c742-4dff-8ce8-9b0ca1073da8\", \"datePublished\": \"2019-10-24T13:53:17\", \"assignerShortName\": \"fortinet\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-RWG7-VWHM-3X8J

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59

Details

An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-15703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-24T14:15:00Z",
    "severity": "LOW"
  },
  "details": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.",
  "id": "GHSA-rwg7-vwhm-3x8j",
  "modified": "2022-05-24T16:59:48Z",
  "published": "2022-05-24T16:59:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15703"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-19-186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

VAR-201910-1237

Vulnerability from variot - Updated: 2023-12-18 12:56

An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only. Fortinet FortiOS Contains a vulnerability related to lack of entropy.Information may be obtained. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. Fortinet FortiOS versions 6.2.1, 6.2.0, 6.0.8 and earlier have security signature vulnerabilities in the deterministic (pseudo-random) number generator (PRNG). An attacker could exploit this vulnerability to obtain sensitive information

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201910-1237",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "fortios",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "fortinet",
        "version": "6.2.0"
      },
      {
        "model": "fortios",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "fortinet",
        "version": "6.0.9"
      },
      {
        "model": "fortios",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "fortinet",
        "version": "6.0.0"
      },
      {
        "model": "fortios",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "fortinet",
        "version": "6.2.3"
      },
      {
        "model": "fortios",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "fortinet",
        "version": "5.6.9"
      },
      {
        "model": "fortios",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "fortinet",
        "version": "6.2.1"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-15703"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.6.9",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.9",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.2.3",
                "versionStartIncluding": "6.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-15703"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Shaanan Cohney of the University of Pennsylvania",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2019-15703",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 4.9,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "High",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 2.6,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2019-15703",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 4.9,
            "id": "VHN-147776",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "LOW",
            "trust": 0.1,
            "vectorString": "AV:N/AC:H/AU:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2019-15703",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2019-15703",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201910-1251",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-147776",
            "trust": 0.1,
            "value": "LOW"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-147776"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-15703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only. Fortinet FortiOS Contains a vulnerability related to lack of entropy.Information may be obtained. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. Fortinet FortiOS versions 6.2.1, 6.2.0, 6.0.8 and earlier have security signature vulnerabilities in the deterministic (pseudo-random) number generator (PRNG). An attacker could exploit this vulnerability to obtain sensitive information",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-15703"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "db": "VULHUB",
        "id": "VHN-147776"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-15703",
        "trust": 2.5
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.3915.2",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.3915",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-147776",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-147776"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-15703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ]
  },
  "id": "VAR-201910-1237",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-147776"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T12:56:21.012000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "FG-IR-19-186",
        "trust": 0.8,
        "url": "https://fortiguard.com/psirt/fg-ir-19-186"
      },
      {
        "title": "Fortinet FortiOS Fixing measures for security feature vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=101614"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-331",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-147776"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-15703"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "https://fortiguard.com/psirt/fg-ir-19-186"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-15703"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15703"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2019.3915/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2019.3915.2/"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/fortios-information-disclosure-via-drbg-unsufficient-entropy-30682"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-147776"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-15703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-147776"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-15703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-10-24T00:00:00",
        "db": "VULHUB",
        "id": "VHN-147776"
      },
      {
        "date": "2019-11-11T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "date": "2019-10-24T14:15:11.003000",
        "db": "NVD",
        "id": "CVE-2019-15703"
      },
      {
        "date": "2019-10-21T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-03-30T00:00:00",
        "db": "VULHUB",
        "id": "VHN-147776"
      },
      {
        "date": "2019-11-11T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      },
      {
        "date": "2022-03-31T17:53:21.813000",
        "db": "NVD",
        "id": "CVE-2019-15703"
      },
      {
        "date": "2020-03-31T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Fortinet FortiOS Vulnerabilities related to lack of entropy",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-011503"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "security feature problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201910-1251"
      }
    ],
    "trust": 0.6
  }
}

CNVD-2019-38479

Vulnerability from cnvd - Published: 2019-11-01

Title

Fortinet FortiOS存在未明漏洞

Description

Fortinet FortiOS是美国飞塔（Fortinet）公司的一套专用于FortiGate网络安全平台上的安全操作系统。该系统为用户提供防火墙、防病毒、IPSec/SSLVPN、Web内容过滤和反垃圾邮件等多种安全功能。 Fortinet FortiOS中的确定性（伪随机）数产生器存在安全漏洞。攻击者可利用该漏洞获取敏感信息。

Severity

中

Patch Name

Fortinet FortiOS存在未明漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://fortiguard.com/psirt/FG-IR-19-186

Reference

https://vigilance.fr/vulnerability/FortiOS-information-disclosure-via-DRBG-Unsufficient-Entropy-30682

Impacted products

Name
Fortinet FortiOS

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-15703"
    }
  },
  "description": "Fortinet FortiOS\u662f\u7f8e\u56fd\u98de\u5854\uff08Fortinet\uff09\u516c\u53f8\u7684\u4e00\u5957\u4e13\u7528\u4e8eFortiGate\u7f51\u7edc\u5b89\u5168\u5e73\u53f0\u4e0a\u7684\u5b89\u5168\u64cd\u4f5c\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3a\u7528\u6237\u63d0\u4f9b\u9632\u706b\u5899\u3001\u9632\u75c5\u6bd2\u3001IPSec/SSLVPN\u3001Web\u5185\u5bb9\u8fc7\u6ee4\u548c\u53cd\u5783\u573e\u90ae\u4ef6\u7b49\u591a\u79cd\u5b89\u5168\u529f\u80fd\u3002\n\nFortinet FortiOS\u4e2d\u7684\u786e\u5b9a\u6027\uff08\u4f2a\u968f\u673a\uff09\u6570\u4ea7\u751f\u5668\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://fortiguard.com/psirt/FG-IR-19-186",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-38479",
  "openTime": "2019-11-01",
  "patchDescription": "Fortinet FortiOS\u662f\u7f8e\u56fd\u98de\u5854\uff08Fortinet\uff09\u516c\u53f8\u7684\u4e00\u5957\u4e13\u7528\u4e8eFortiGate\u7f51\u7edc\u5b89\u5168\u5e73\u53f0\u4e0a\u7684\u5b89\u5168\u64cd\u4f5c\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3a\u7528\u6237\u63d0\u4f9b\u9632\u706b\u5899\u3001\u9632\u75c5\u6bd2\u3001IPSec/SSLVPN\u3001Web\u5185\u5bb9\u8fc7\u6ee4\u548c\u53cd\u5783\u573e\u90ae\u4ef6\u7b49\u591a\u79cd\u5b89\u5168\u529f\u80fd\u3002\r\n\r\nFortinet FortiOS\u4e2d\u7684\u786e\u5b9a\u6027\uff08\u4f2a\u968f\u673a\uff09\u6570\u4ea7\u751f\u5668\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Fortinet FortiOS\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Fortinet FortiOS"
  },
  "referenceLink": "https://vigilance.fr/vulnerability/FortiOS-information-disclosure-via-DRBG-Unsufficient-Entropy-30682",
  "serverity": "\u4e2d",
  "submitTime": "2019-10-23",
  "title": "Fortinet FortiOS\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

FKIE_CVE-2019-15703

Vulnerability from fkie_nvd - Published: 2019-10-24 14:15 - Updated: 2024-11-21 04:29

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	psirt@fortinet.com	https://fortiguard.com/psirt/FG-IR-19-186	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://fortiguard.com/psirt/FG-IR-19-186	Vendor Advisory

Impacted products

Vendor	Product	Version
fortinet	fortios	*
fortinet	fortios	*
fortinet	fortios	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9C424D53-2941-43BA-B4BA-FE6C06B08190",
              "versionEndIncluding": "5.6.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2F4F708-941B-4EBD-9DAB-D726887B63DF",
              "versionEndExcluding": "6.0.9",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EE3901A-D32C-44DD-8977-87B4A4B6F3FE",
              "versionEndExcluding": "6.2.3",
              "versionStartIncluding": "6.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only."
    },
    {
      "lang": "es",
      "value": "Una Entrop\u00eda Insuficiente en la vulnerabilidad del PRNG en Fortinet FortiOS versi\u00f3n 6.2.1, 6.2.0, 6.0.8 y posteriores, para dispositivos que no habilitan token TRNG de hardware y modelos que no admiten un seed TRNG incorporado permite al atacante recuperar te\u00f3ricamente el secreto ECDSA a largo plazo en un cliente TLS con un protocolo de enlace RSA y autenticaci\u00f3n mutua ECDSA mediante la ayuda de los ataques de canal lateral flush+reload solo en los modelos FortiGate VM."
    }
  ],
  "id": "CVE-2019-15703",
  "lastModified": "2024-11-21T04:29:17.510",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-10-24T14:15:11.003",
  "references": [
    {
      "source": "psirt@fortinet.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://fortiguard.com/psirt/FG-IR-19-186"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://fortiguard.com/psirt/FG-IR-19-186"
    }
  ],
  "sourceIdentifier": "psirt@fortinet.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-331"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2019-15703

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-15703

Aliases

CVE-2019-15703

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-15703",
    "description": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.",
    "id": "GSD-2019-15703"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-15703"
      ],
      "details": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.",
      "id": "GSD-2019-15703",
      "modified": "2023-12-13T01:23:38.410079Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@fortinet.com",
        "ID": "CVE-2019-15703",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Fortinet FortiOS",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "6.2.1"
                        },
                        {
                          "version_value": "6.2.0"
                        },
                        {
                          "version_value": "6.0.8 and below"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Fortinet"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information disclosure"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://fortiguard.com/psirt/FG-IR-19-186",
            "refsource": "MISC",
            "url": "https://fortiguard.com/psirt/FG-IR-19-186"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.6.9",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.9",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.2.3",
                "versionStartIncluding": "6.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@fortinet.com",
          "ID": "CVE-2019-15703"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-331"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://fortiguard.com/psirt/FG-IR-19-186",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://fortiguard.com/psirt/FG-IR-19-186"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-03-31T17:53Z",
      "publishedDate": "2019-10-24T14:15Z"
    }
  }
}

CERTFR-2019-AVI-523

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Fortinet. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Fortinet	FortiOS	Le générateur d'aléa de FortiOS quand il est exécuté dans un environnement virtualisé
Fortinet	FortiMail	FortiMail versions 6.2.x antérieures à 6.2.1
Fortinet	FortiMail	FortiMail versions 6.0.x antérieures à 6.0.7
Fortinet	FortiMail	FortiMail versions antérieures à 5.4.11 (date de sortie non annoncée)

References

Title

Publication Time

Tags

Bulletin de sécurité Fortinet FG-IR-19-237 du 18 octobre 2019	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-19-186 du 18 octobre 2019	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Le g\u00e9n\u00e9rateur d\u0027al\u00e9a de FortiOS quand il est ex\u00e9cut\u00e9 dans un environnement virtualis\u00e9",
      "product": {
        "name": "FortiOS",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "FortiMail versions 6.2.x ant\u00e9rieures \u00e0 6.2.1",
      "product": {
        "name": "FortiMail",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "FortiMail versions 6.0.x ant\u00e9rieures \u00e0 6.0.7",
      "product": {
        "name": "FortiMail",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "FortiMail versions ant\u00e9rieures \u00e0 5.4.11 (date de sortie non annonc\u00e9e)",
      "product": {
        "name": "FortiMail",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-15707",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15707"
    },
    {
      "name": "CVE-2019-15712",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15712"
    },
    {
      "name": "CVE-2019-15703",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15703"
    }
  ],
  "links": [],
  "reference": "CERTFR-2019-AVI-523",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-10-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nFortinet. Elles permettent \u00e0 un attaquant de provoquer un contournement\nde la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Fortinet",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-19-237 du 18 octobre 2019",
      "url": "https://fortiguard.com/psirt/FG-IR-19-237"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-19-186 du 18 octobre 2019",
      "url": "https://fortiguard.com/psirt/FG-IR-19-186"
    }
  ]
}

CERTFR-2019-AVI-523

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Fortinet	FortiOS	Le générateur d'aléa de FortiOS quand il est exécuté dans un environnement virtualisé
Fortinet	FortiMail	FortiMail versions 6.2.x antérieures à 6.2.1
Fortinet	FortiMail	FortiMail versions 6.0.x antérieures à 6.0.7
Fortinet	FortiMail	FortiMail versions antérieures à 5.4.11 (date de sortie non annoncée)

References

Title

Publication Time

Tags

Bulletin de sécurité Fortinet FG-IR-19-237 du 18 octobre 2019	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-19-186 du 18 octobre 2019	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Le g\u00e9n\u00e9rateur d\u0027al\u00e9a de FortiOS quand il est ex\u00e9cut\u00e9 dans un environnement virtualis\u00e9",
      "product": {
        "name": "FortiOS",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "FortiMail versions 6.2.x ant\u00e9rieures \u00e0 6.2.1",
      "product": {
        "name": "FortiMail",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "FortiMail versions 6.0.x ant\u00e9rieures \u00e0 6.0.7",
      "product": {
        "name": "FortiMail",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "FortiMail versions ant\u00e9rieures \u00e0 5.4.11 (date de sortie non annonc\u00e9e)",
      "product": {
        "name": "FortiMail",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-15707",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15707"
    },
    {
      "name": "CVE-2019-15712",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15712"
    },
    {
      "name": "CVE-2019-15703",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15703"
    }
  ],
  "links": [],
  "reference": "CERTFR-2019-AVI-523",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-10-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nFortinet. Elles permettent \u00e0 un attaquant de provoquer un contournement\nde la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Fortinet",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-19-237 du 18 octobre 2019",
      "url": "https://fortiguard.com/psirt/FG-IR-19-237"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-19-186 du 18 octobre 2019",
      "url": "https://fortiguard.com/psirt/FG-IR-19-186"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-15703 (GCVE-0-2019-15703)

GHSA-RWG7-VWHM-3X8J

VAR-201910-1237

CNVD-2019-38479

FKIE_CVE-2019-15703

GSD-2019-15703

CERTFR-2019-AVI-523

Solution

CERTFR-2019-AVI-523

Solution

Tags

Sightings

Nomenclature