#VU34856 Incorrect default permissions in FortiOS - CVE-2019-5593
Published: January 23, 2020 / Updated: August 8, 2020
Vulnerability identifier: #VU34856
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-5593
CWE-ID: CWE-276
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
FortiOS
FortiOS
Software vendor:
Fortinet, Inc
Fortinet, Inc
Description
The vulnerability allows a local authenticated user to gain access to sensitive information.
Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below.
Remediation
Install update from vendor's website.