PT-2016-3273 · Fortinet · Fortios

Published

2016-12-02

Updated

2017-07-28

CVE-2016-7542

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions FortiOS versions 5.2.x through 5.2.9 FortiOS versions 5.4.x through 5.4.1

Description The issue is caused by access control errors in the FortiOS REST API interface, allowing a remote attacker with read-only privileges to potentially disclose password information of read-write administrators. This could enable the attacker to crack the password hashes, excluding those of super-admins, stored on the appliance via the webui REST API.

Recommendations For FortiOS versions 5.2.x through 5.2.9, update to version 5.2.10 GA or later. For FortiOS versions 5.4.x through 5.4.1, update to version 5.4.2 GA or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-264

Related Identifiers

BDU:2018-01286

CVE-2016-7542

Affected Products

Fortios

PT-2016-3273 · Fortinet · Fortios

CVE-2016-7542

Weakness Enumeration

Related Identifiers

Affected Products

References · 8