Information disclosure in Fortinet, FortiOS



Published: 2017-02-08 | Updated: 2020-08-08
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-8492
CWE-ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		FortiOS
Operating systems & Components / Operating system

Vendor Fortinet, Inc

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU39672

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8492

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The implementation of an ANSI X9.31 RNG in Fortinet FortiGate allows attackers to gain unauthorized read access to data handled by the device via IPSec/TLS decryption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FortiOS: 4.3.0 - 4.3.17

External links

http://www.securityfocus.com/bid/94480
http://fortiguard.com/advisory/FG-IR-16-067


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###