Main Vulnerability Database Vulnerabilities #VU34856

Incorrect default permissions in FortiOS - CVE-2019-5593

Published: January 23, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34856

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-5593

CWE-ID: CWE-276

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Fortinet, Inc

Affected software:
FortiOS

Detailed vulnerability description

The vulnerability allows a local authenticated user to gain access to sensitive information.

Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below.

How to mitigate CVE-2019-5593

Install update from vendor's website.

Sources

https://fortiguard.com/psirt/FG-IR-19-134

Incorrect default permissions in FortiOS - CVE-2019-5593

Detailed vulnerability description

How to mitigate CVE-2019-5593

Sources

Please verify you're human