Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-1571

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2015-1571
Last Modified 22 Jul 2015 02:37:09
Published 10 Feb 2015 03:59:06
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2015-1571

Summary

** DISPUTED ** The CAPWAP DTLS protocol implementation in Fortinet FortiOS 5.0 Patch 7 build 4457 uses the same certificate and private key across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging the Fortinet_Factory certificate and private key. NOTE: FG-IR-15-002 says "The Fortinet_Factory certificate is unique to each device ... An attacker cannot therefore stage a MitM attack."

Vulnerable Systems

Operating System

  • Fortinet Fortios 5.0.7


References

MISC - http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiOS_Multiple_Vulnerabilities.pdf

FULLDISC - 20150129 Fortinet FortiOS Multiple Vulnerabilities

MISC - http://www.fortiguard.com/advisory/FG-IR-15-002/


Last Updated: 27 May 2016 10:55:48