The default configuration of Fortinet Fortigate UTM appliances uses the same Certification Authority certificate and same private key across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging the presence of the Fortinet_CA_SSLProxy certificate in a list of trusted root certification authorities.

No CVSS v3.1

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Partial

Availability Impact None

AV:A/AC:H/Au:N/C:C/I:P/A:N
Vendors Products
Fortinet
  • Fortigate-1240b
  • Fortigate-3240c
  • Fortigate-600c
  • Fortigate-5020
  • Fortigate-3140b
  • Fortigaterugged-100c
  • Fortigate-50b
  • Fortigate-100d
  • Fortigate-voice-80c
  • Fortigate-1000c
  • Fortigate-3950b
  • Fortigate-5060
  • Fortigate-200b
  • Fortigate-40c
  • Fortigate-60c
  • Fortigate-800c
  • Fortigate-311b
  • Fortigate-5001a-sw
  • Fortigate-20c
  • Fortigate-3810a
  • Fortigate-300c
  • Fortigate-80c
  • Fortigate-620b
  • Fortigate-5101c
  • Fortigate-3040b
  • Fortigate-310b
  • Fortigate-5001b
  • Fortigate-110c
  • Fortigate-5140b

Configuration 1 [-]

OR cpe:2.3:h:fortinet:fortigate-1000c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-100d:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-110c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-1240b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-200b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-20c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-300c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-3040b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-310b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-311b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-3140b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-3240c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-3810a:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-3950b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-40c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-5001a-sw:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-5001b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-5020:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-5060:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-50b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-5101c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-5140b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-600c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-60c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-620b:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-800c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-80c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigate-voice-80c:-:*:*:*:*:*:*:*
cpe:2.3:h:fortinet:fortigaterugged-100c:-:*:*:*:*:*:*:*
References
Link Resource
http://osvdb.org/87048
http://www.kb.cert.org/vuls/id/111708 Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/56382 Third Party Advisory VDB Entry
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2012-11-14T11:00:00

Updated: 2013-02-26T10:00:00

Reserved: 2012-09-17T00:00:00

Link: CVE-2012-4948

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2012-11-14T12:30:59.507

Modified: 2016-12-07T18:14:04.170

Link: CVE-2012-4948

JSON object: View

cve-icon Redhat Information

No data.

CWE