A vulnerability, which was classified as critical, has been found in Fortinet FortiWan up to 4.2.4. Affected by this issue is an unknown functionality of the file diagnosis_control.php of the component nslookup Handler. The manipulation of the argument graph with an unknown input leads to a os command injection vulnerability. Using CWE to declare the problem leads to CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users with access to the nslookup functionality to execute arbitrary commands with root privileges via the graph parameter to diagnosis_control.php.

The weakness was published 09/21/2016 (Website). The advisory is shared for download at docs.fortinet.com. This vulnerability is handled as CVE-2016-4965 since 05/24/2016. The exploitation is known to be easy. The attack may be launched remotely. The successful exploitation needs a simple authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1202.

By approaching the search of inurl:diagnosis_control.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 4.2.5 eliminates this vulnerability.

Similar entries are available at 91821, 91822, 91823 and 91824.

Productinfo

Vendor

• Fortinet

Name

• FortiWan

Version

• 4.2.0
• 4.2.1
• 4.2.2
• 4.2.3
• 4.2.4

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion