CVE-2020-12820

Under non-default configuration, a stack-based buffer overflow in FortiOS version 6.0.10 and below, version 5.6.12 and below may allow a remote attacker authenticated to the SSL VPN to crash the FortiClient NAC daemon (fcnacd) and potentially execute arbitrary code via requesting a large FortiClient file name. We are not aware of proof of concept code successfully achieving the latter.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://fortiguard.fortinet.com/psirt/FG-IR-20-083	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::

History

21 Jan 2025, 20:42

Type	Values Removed	Values Added
First Time		Fortinet Fortinet fortios
References	~~() https://fortiguard.fortinet.com/psirt/FG-IR-20-083 -~~	() https://fortiguard.fortinet.com/psirt/FG-IR-20-083 - Vendor Advisory
CWE		CWE-787
Summary		(es) En una configuración no predeterminada, un desbordamiento de búfer basado en pila en FortiOS versión 6.0.10 y anteriores, versión 5.6.12 y anteriores puede permitir que un atacante remoto autenticado en la VPN SSL bloquee el daemon NAC de FortiClient (fcnacd) y potencialmente ejecute código arbitrario mediante la solicitud de un nombre de archivo FortiClient grande. No tenemos conocimiento de ningún código de prueba de concepto que logre esto último con éxito.
CPE		cpe:2.3:o:fortinet:fortios::::::::

19 Dec 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-19 11:15

Updated : 2025-01-21 20:42

NVD link : CVE-2020-12820

Mitre link : CVE-2020-12820

CVE.ORG link : CVE-2020-12820

JSON object : View

Products Affected

fortinet

fortios

CWE

CWE-121

Stack-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2020-12820", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-12-19T11:15:05.700", "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-20-083", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-121"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Under non-default configuration, a stack-based buffer overflow in FortiOS version 6.0.10 and below, version 5.6.12 and below may allow a remote attacker authenticated to the SSL VPN to crash the FortiClient NAC daemon (fcnacd) and potentially execute arbitrary code via requesting a large FortiClient file name. We are not aware of proof of concept code successfully achieving the latter."}, {"lang": "es", "value": "En una configuraci\u00f3n no predeterminada, un desbordamiento de b\u00fafer basado en pila en FortiOS versi\u00f3n 6.0.10 y anteriores, versi\u00f3n 5.6.12 y anteriores puede permitir que un atacante remoto autenticado en la VPN SSL bloquee el daemon NAC de FortiClient (fcnacd) y potencialmente ejecute c\u00f3digo arbitrario mediante la solicitud de un nombre de archivo FortiClient grande. No tenemos conocimiento de ning\u00fan c\u00f3digo de prueba de concepto que logre esto \u00faltimo con \u00e9xito."}], "lastModified": "2025-01-21T20:42:17.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C8DACBF-C9D5-4898-8294-DB887A28A9C7", "versionEndExcluding": "5.6.13"}, {"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D44B5E8F-6093-4E84-9197-4530032E5B5A", "versionEndExcluding": "6.0.11", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}

5.4 /10