var-200904-0471
Vulnerability from variot
Format string vulnerability in Fortinet FortiClient 3.0.614, and possibly earlier, allows local users to execute arbitrary code via format string specifiers in the VPN connection name. Fortinet FortiClient is prone to a local format-string vulnerability because it fails to adequately sanitize user-supplied input before passing it to a formatted-printing function. Successfully exploiting this issue will allow local attackers to execute arbitrary code with SYSTEM-level privileges, completely compromising the computer. Failed exploit attempts will likely result in a denial of service. FortiClient 3.0.614 is vulnerable; other versions may also be affected. Fortinet FortiClient is a set of Fortinet company's software solutions that provide security for terminals. It provides features such as IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia report for 2008.
Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics
Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
TITLE: Fortinet FortiClient VPN Connection Format String Vulnerability
SECUNIA ADVISORY ID: SA34524
VERIFY ADVISORY: http://secunia.com/advisories/34524/
DESCRIPTION: A vulnerability has been reported in Fortinet FortiClient, which can be exploited by malicious, local users to gain escalated privileges. This can be exploited to read and write arbitrary memory with SYSTEM privileges via a specially crafted VPN connection name.
The vulnerability is reported in version 3.0.614.
SOLUTION: Update to version 3.0 MR7 Patch Release 6.
PROVIDED AND/OR DISCOVERED BY: Deral Heiland, Layered Defense
ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2009-April/068583.html
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200904-0471",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "forticlient",
"scope": "eq",
"trust": 2.7,
"vendor": "fortinet",
"version": "3.0.614"
},
{
"model": "forticlient mr7 patch",
"scope": "ne",
"trust": 0.3,
"vendor": "fortinet",
"version": "3.06"
}
],
"sources": [
{
"db": "BID",
"id": "34343"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
},
{
"db": "NVD",
"id": "CVE-2009-1262"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:fortinet:forticlient",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Deral Heiland http://www.layereddefense.com/",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
}
],
"trust": 0.6
},
"cve": "CVE-2009-1262",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2009-1262",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-38708",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2009-1262",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2009-1262",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200904-156",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-38708",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-38708"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
},
{
"db": "NVD",
"id": "CVE-2009-1262"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Format string vulnerability in Fortinet FortiClient 3.0.614, and possibly earlier, allows local users to execute arbitrary code via format string specifiers in the VPN connection name. Fortinet FortiClient is prone to a local format-string vulnerability because it fails to adequately sanitize user-supplied input before passing it to a formatted-printing function. \nSuccessfully exploiting this issue will allow local attackers to execute arbitrary code with SYSTEM-level privileges, completely compromising the computer. Failed exploit attempts will likely result in a denial of service. \nFortiClient 3.0.614 is vulnerable; other versions may also be affected. Fortinet FortiClient is a set of Fortinet company\u0027s software solutions that provide security for terminals. It provides features such as IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication. ----------------------------------------------------------------------\n\nSecunia is pleased to announce the release of the annual Secunia\nreport for 2008. \n\nHighlights from the 2008 report:\n * Vulnerability Research\n * Software Inspection Results\n * Secunia Research Highlights\n * Secunia Advisory Statistics\n\nRequest the full 2008 Report here:\nhttp://secunia.com/advisories/try_vi/request_2008_report/\n\nStay Secure,\n\nSecunia\n\n\n----------------------------------------------------------------------\n\nTITLE:\nFortinet FortiClient VPN Connection Format String Vulnerability\n\nSECUNIA ADVISORY ID:\nSA34524\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/34524/\n\nDESCRIPTION:\nA vulnerability has been reported in Fortinet FortiClient, which can\nbe exploited by malicious, local users to gain escalated privileges. This can be exploited to read and\nwrite arbitrary memory with SYSTEM privileges via a specially crafted\nVPN connection name. \n\nThe vulnerability is reported in version 3.0.614. \n\nSOLUTION:\nUpdate to version 3.0 MR7 Patch Release 6. \n\nPROVIDED AND/OR DISCOVERED BY:\nDeral Heiland, Layered Defense\n\nORIGINAL ADVISORY:\nhttp://lists.grok.org.uk/pipermail/full-disclosure/2009-April/068583.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2009-1262"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"db": "BID",
"id": "34343"
},
{
"db": "VULHUB",
"id": "VHN-38708"
},
{
"db": "PACKETSTORM",
"id": "76353"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2009-1262",
"trust": 2.8
},
{
"db": "BID",
"id": "34343",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "34524",
"trust": 1.8
},
{
"db": "SECTRACK",
"id": "1021966",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2009-0941",
"trust": 1.7
},
{
"db": "OSVDB",
"id": "53266",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2009-003327",
"trust": 0.8
},
{
"db": "BUGTRAQ",
"id": "20090410 RE: LAYERED DEFENSE RESEARCH ADVISORY: FORMAT STRING VULNERABILITY: FORTICLIENT VERSION 3",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20090402 LAYERED DEFENSE RESEARCH ADVISORY: FORMAT STRING VULNERABILITY: FORTICLIENT VERSION 3",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20090402 LAYERED DEFENSE RESEARCH ADVISORY: FORMAT STRING VULNERABILITY: FORTICLIENT VERSION 3",
"trust": 0.6
},
{
"db": "XF",
"id": "49633",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200904-156",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-38708",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "76353",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-38708"
},
{
"db": "BID",
"id": "34343"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"db": "PACKETSTORM",
"id": "76353"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
},
{
"db": "NVD",
"id": "CVE-2009-1262"
}
]
},
"id": "VAR-200904-0471",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-38708"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:31:54.021000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.fortinet.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-134",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"db": "NVD",
"id": "CVE-2009-1262"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2009-april/068583.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/34343"
},
{
"trust": 1.7,
"url": "http://www.layereddefense.com/forticlient02apr.html"
},
{
"trust": 1.7,
"url": "http://osvdb.org/53266"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id?1021966"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/34524"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2009/0941"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/502354/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/502602/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49633"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1262"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1262"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/49633"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/502602/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/502354/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://www.fortinet.com/products/forticlient/"
},
{
"trust": 0.3,
"url": "/archive/1/502354"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/34524/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/try_vi/request_2008_report/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-38708"
},
{
"db": "BID",
"id": "34343"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"db": "PACKETSTORM",
"id": "76353"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
},
{
"db": "NVD",
"id": "CVE-2009-1262"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-38708"
},
{
"db": "BID",
"id": "34343"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"db": "PACKETSTORM",
"id": "76353"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
},
{
"db": "NVD",
"id": "CVE-2009-1262"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-04-07T00:00:00",
"db": "VULHUB",
"id": "VHN-38708"
},
{
"date": "2009-04-02T00:00:00",
"db": "BID",
"id": "34343"
},
{
"date": "2012-06-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"date": "2009-04-06T11:11:40",
"db": "PACKETSTORM",
"id": "76353"
},
{
"date": "2009-04-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200904-156"
},
{
"date": "2009-04-07T23:30:00.377000",
"db": "NVD",
"id": "CVE-2009-1262"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-10T00:00:00",
"db": "VULHUB",
"id": "VHN-38708"
},
{
"date": "2009-04-17T23:06:00",
"db": "BID",
"id": "34343"
},
{
"date": "2012-06-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-003327"
},
{
"date": "2009-04-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200904-156"
},
{
"date": "2024-11-21T01:02:02.583000",
"db": "NVD",
"id": "CVE-2009-1262"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "34343"
},
{
"db": "PACKETSTORM",
"id": "76353"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Fortinet FortiClient VPN Connection Name Local Format String Vulnerability",
"sources": [
{
"db": "BID",
"id": "34343"
},
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "format string",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200904-156"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…