CVE-2016-6909 : Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9

Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9 and FortiSwitch before 3.4.3 allows remote attackers to execute arbitrary code via a crafted HTTP request, aka EGREGIOUSBLUNDER.

Published 2016-08-24 16:30:00

Updated 2019-05-22 15:06:01

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Exploit prediction scoring system (EPSS) score for CVE-2016-6909

Probability of exploitation activity in the next 30 days: 96.19%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 99 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-6909

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-6909

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-6909

http://packetstormsecurity.com/files/138387/EGREGIOUSBLUNDER-Fortigate-Remote-Code-Execution.html

EGREGIOUSBLUNDER Fortigate Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://www.securitytracker.com/id/1036643

Fortinet FortiGate/FortiOS Buffer Overflow in Cookie Parser Lets Remote Users Execute Arbitrary Code - SecurityTracker
Third Party Advisory;VDB Entry
http://fortiguard.com/advisory/FG-IR-16-023

Cookie Parser Buffer Overflow Vulnerability | FortiGuard
Vendor Advisory
http://www.securityfocus.com/bid/92523

Fortinet FortiGate Cookie Parser Buffer Overflow Vulnerability
Third Party Advisory;VDB Entry
https://www.exploit-db.com/exploits/40276/

Fortigate Firewalls - 'EGREGIOUSBLUNDER' Remote Code Execution
Exploit;Third Party Advisory;VDB Entry
https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html

Equation Group firewall operations catalogue
Third Party Advisory

Products affected by CVE-2016-6909

Fortinet » Fortios
Versions from including (>=) 4.2.0 and before (<) 4.2.13
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortios
Versions from including (>=) 4.1.0 and before (<) 4.1.11
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortios
Versions from including (>=) 4.3.0 and before (<) 4.3.9
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortiswitch
Versions up to, including, (<=) 3.4.2
cpe:2.3:o:fortinet:fortiswitch:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-6909

Exploit prediction scoring system (EPSS) score for CVE-2016-6909

CVSS scores for CVE-2016-6909

CWE ids for CVE-2016-6909

References for CVE-2016-6909

Products affected by CVE-2016-6909