Main Vulnerability Database SB2016120501

SB2016120501 - Administrative password hash disclosure in FortiOS

Published: December 5, 2016

Security Bulletin ID SB2016120501

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2016-7542)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to obtain hash of local administrator.

The vulnerability exists due to unknown error. A remote attacker with unspecified privileges may be able to obtain password hash of local administrator. It is unclear, if the attacker should be authenticated.

Successful exploitation of the vulnerability may allow an attacker to brute-force password hash and obtain administrative privileges on vulnerable device.

Remediation

Install update from vendor's website.

References

http://fortiguard.com/advisory/FG-IR-16-050