{"vuid":"VU#724487","idnumber":"724487","name":"Fortinet FortiWAN load balancer appliance contains multiple vulnerabilities","keywords":["xss","authentication bypass","information exposure","command injection"],"overview":"The Fortinet FortiWAN (Ascernlink) network load balancer appliance contains multiple vulnerabilities.","clean_desc":"According to the reporter, the Fortinet FortiWAN network load balancer appliance contains the following vulnerabilities. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2016-4965 The diagnosis_control.php page is vulnerable to command injection via the \"graph\" GET parameter. A non-administrative authenticated attacker having access privileges to the nslookup functionality can inject arbitrary operating system commands and execute them in the context of the root user. CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-4966 The diagnosis_control.php page has a tcpdump function, that can capture FortiWAN data packets and download captured packets to local host for analysis and debug. A non-administrative authenticated attacker having access privileges to change the HTTP Get param “UserName” to “Administrator” to download a PCAP file of all captured packets from the FortinWAN device since the tcpdump function was activated. CWE-200: Information Exposure - CVE-2016-4967 An authenticated but low privileged user may obtain a backup of the device configuration by visiting the URL /script/cfg_show.php of the FortiWAN appliance, or a PCAP of tcpdump data by visiting /script/system/tcpdump.php. CWE-200: Information Exposure - CVE-2016-4968 An authenticated but low privileged user may perform a GET request of the /linkreport/tmp/admin_global page of the FortiWAN appliance, and obtain administrator login cookie. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2016-4969 The /script/statistics/getconn.php file's IP parameter is vulnerable to cross-site scripting. The CVSS score below is based on CVE-2016-4965.","impact":"An authenticated but low-privileged (non-administrator) account may be able to execute OS commands in the root context, capture network traffic through the FortiWAN device, obtain appliance system configuration, or conduct cross-site scripting attacks against administrator users.","resolution":"Apply an update Fortinet has released FortiWAN 4.2.5 which addresses all issues. For more information, please see the changelog. Affected users are encouraged to update as soon as possible.","workarounds":"","sysaffected":"","thanks":"Thanks to Virgoteam (\nFan-Syun Shih, Kun-Xian Lin, and Yu-Chi Ding)\n for reporting these vulnerabilities.","author":"This document was written by Garret Wassermann.","public":["http://docs.fortinet.com/uploaded/files/3236/fortiwan-v4.2.5-release-notes.pdf","https://www.fortinet.com/products-services/products/wan-appliances/fortiwan.html"],"cveids":["CVE-2016-4965","CVE-2016-4966","CVE-2016-4967","CVE-2016-4968","CVE-2016-4969"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-08-16T18:46:00Z","publicdate":"2016-09-06T00:00:00Z","datefirstpublished":"2016-09-06T19:45:17Z","dateupdated":"2016-09-09T17:12:06Z","revision":28,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"UR","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9.3","cvss_basevector":"AV:N/AC:M/Au:N/C:C/I:C/A:C","cvss_temporalscore":"8","cvss_environmentalscore":"5.9842549872","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}