CVE-2019-5593 - OpenCVE

Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fortinet	Fortios

Configuration 1 [-]

OR	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios:6.2.0:::::::*

No data.

References

Link	Providers
https://fortiguard.com/psirt/FG-IR-19-134

History

No history.

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2020-01-23T16:50:43

Updated: 2024-08-04T20:01:51.677Z

Reserved: 2019-01-07T00:00:00

Link: CVE-2019-5593

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-01-23T17:15:12.173

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-5593

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Fortinet FortiOS", "vendor": "n/a", "versions": [{"status": "affected", "version": "FortiOS 6.2.0 to 6.2.1, 6.0.6 and below"}]}], "descriptions": [{"lang": "en", "value": "Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below."}], "problemTypes": [{"descriptions": [{"description": "Information disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-23T16:50:43", "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://fortiguard.com/psirt/FG-IR-19-134"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@fortinet.com", "ID": "CVE-2019-5593", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fortinet FortiOS", "version": {"version_data": [{"version_value": "FortiOS 6.2.0 to 6.2.1, 6.0.6 and below"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure"}]}]}, "references": {"reference_data": [{"name": "https://fortiguard.com/psirt/FG-IR-19-134", "refsource": "MISC", "url": "https://fortiguard.com/psirt/FG-IR-19-134"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:01:51.677Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://fortiguard.com/psirt/FG-IR-19-134"}]}]}, "cveMetadata": {"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "assignerShortName": "fortinet", "cveId": "CVE-2019-5593", "datePublished": "2020-01-23T16:50:43", "dateReserved": "2019-01-07T00:00:00", "dateUpdated": "2024-08-04T20:01:51.677Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBDD29F8-B339-4C3B-AF3F-77BB3D323D1D", "versionEndIncluding": "5.6.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "matchCriteriaId": "8FA4CED9-EAB9-4FE4-B058-CC4D3E03C520", "versionEndIncluding": "6.0.6", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortios:6.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "72C437B7-75F8-4DDC-9670-19E2C21ACB27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below."}, {"lang": "es", "value": "Una comprobaci\u00f3n inapropiada de permisos o valores en la consola de la CLI puede permitir a un usuario no privilegiado obtener claves privadas en texto plano de Fortinet FortiOS de los certificados locales incorporados del sistema mediante la desconfiguraci\u00f3n de la contrase\u00f1a de cifrado de claves en FortiOS versi\u00f3n 6.2.0, versiones 6.0.0 hasta 6.0.6, y versiones 5.6.10 y por debajo, o por un usuario que carg\u00f3 certificados locales mediante la configuraci\u00f3n de una contrase\u00f1a vac\u00eda en FortiOS versiones 6.2.1, 6.2.0, y versiones 6.0.6 y por debajo."}], "id": "CVE-2019-5593", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-23T17:15:12.173", "references": [{"source": "psirt@fortinet.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-19-134"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}]}