CVE-2020-12819

A heap-based buffer overflow vulnerability in the processing of Link Control Protocol messages in FortiGate versions 5.6.12, 6.0.10, 6.2.4 and 6.4.1 and earlier may allow a remote attacker with valid SSL VPN credentials to crash the SSL VPN daemon by sending a large LCP packet, when tunnel mode is enabled. Arbitrary code execution may be theoretically possible, albeit practically very difficult to achieve in this context

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://fortiguard.com/advisory/FG-IR-20-082	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::

History

21 Jan 2025, 20:58

Type	Values Removed	Values Added
References	~~() https://fortiguard.com/advisory/FG-IR-20-082 -~~	() https://fortiguard.com/advisory/FG-IR-20-082 - Vendor Advisory
CWE		CWE-787
CPE		cpe:2.3:o:fortinet:fortios::::::::
First Time		Fortinet Fortinet fortios
Summary		(es) Una vulnerabilidad de desbordamiento de búfer en el montón durante el procesamiento de mensajes del Protocolo de control de enlaces en las versiones 5.6.12, 6.0.10, 6.2.4 y 6.4.1 y anteriores de FortiGate puede permitir que un atacante remoto con credenciales de VPN SSL válidas bloquee el daemon de VPN SSL mediante el envío de un paquete LCP de gran tamaño cuando el modo túnel está habilitado. La ejecución de código arbitrario puede ser teóricamente posible, aunque en la práctica es muy difícil de lograr en este contexto

19 Dec 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-19 08:15

Updated : 2025-01-21 20:58

NVD link : CVE-2020-12819

Mitre link : CVE-2020-12819

CVE.ORG link : CVE-2020-12819

JSON object : View

Products Affected

fortinet

fortios

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2020-12819", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2024-12-19T08:15:11.770", "references": [{"url": "https://fortiguard.com/advisory/FG-IR-20-082", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-122"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow vulnerability in the processing of Link Control Protocol messages in FortiGate versions 5.6.12, 6.0.10, 6.2.4 and 6.4.1 and earlier may allow a remote attacker with valid SSL VPN credentials to crash the SSL VPN daemon by sending a large LCP packet, when tunnel mode is enabled. Arbitrary code execution may be theoretically possible, albeit practically very difficult to achieve in this context"}, {"lang": "es", "value": "Una vulnerabilidad de desbordamiento de b\u00fafer en el mont\u00f3n durante el procesamiento de mensajes del Protocolo de control de enlaces en las versiones 5.6.12, 6.0.10, 6.2.4 y 6.4.1 y anteriores de FortiGate puede permitir que un atacante remoto con credenciales de VPN SSL v\u00e1lidas bloquee el daemon de VPN SSL mediante el env\u00edo de un paquete LCP de gran tama\u00f1o cuando el modo t\u00fanel est\u00e1 habilitado. La ejecuci\u00f3n de c\u00f3digo arbitrario puede ser te\u00f3ricamente posible, aunque en la pr\u00e1ctica es muy dif\u00edcil de lograr en este contexto"}], "lastModified": "2025-01-21T20:58:57.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C8DACBF-C9D5-4898-8294-DB887A28A9C7", "versionEndExcluding": "5.6.13"}, {"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D44B5E8F-6093-4E84-9197-4530032E5B5A", "versionEndExcluding": "6.0.11", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B59A39D6-9494-4273-8348-1078A77DD796", "versionEndExcluding": "6.2.5", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FECE2DC5-CFCC-4BA9-B416-4EB2C1E4D9BB", "versionEndExcluding": "6.4.2", "versionStartIncluding": "6.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}