Fortinet's load balancer has been found to include a bunch of vulnerabilities, and so far, the Carnegie-Mellon CERT hasn't been able to determine whether or not they've all been patched.
In its advisory, the CERT says FortiWAN is subject to command injections, information exposure, and cross-site scripting attacks.
As the advisory states: “An authenticated but low-privileged (non-administrator) account may be able to execute OS commands in the root context, capture network traffic through the FortiWAN device, obtain appliance system configuration, or conduct cross-site scripting attacks against administrator users.”
While one of the vulnerabilities in the list has been fixed in FortiWAN 4.2.5, the advisory continues: “It is currently unclear if the remaining vulnerabilities in this Vulnerability Note were also addressed in this release.”
The vulns are as follows:
- CVE-2016-4966 – Fixed: a bug in
diagnosis_control.php, an authentication bypass that lets an attacker get a dump of captured packets;
- CVE-2016-4965 – Operating system command injection, also via diagnosis_control.php;
- CVE-2016-4967 – A privilege escalation bug that lets a lower-privilege user get a backup of the device configuration;
- CVE-2016-4968 – A user with low privileges can get the admin login cookie with a simple GET request; and
- CVE-2016-4969 – Cross-site scripting via the
/script/statistics/getconn.phpfile's IP parameter.
The vulns were reported to the CERT by Virgoteam. ®