CVE Vulnerabilities

CVE-2012-4948

Improper Certificate Validation

Published: Nov 14, 2012 | Modified: Dec 07, 2016
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
5.3 MEDIUM
AV:A/AC:H/Au:N/C:C/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

The default configuration of Fortinet Fortigate UTM appliances uses the same Certification Authority certificate and same private key across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging the presence of the Fortinet_CA_SSLProxy certificate in a list of trusted root certification authorities.

Weakness

The software does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Fortigate-1000c Fortinet - -
Fortigate-100d Fortinet - -
Fortigate-110c Fortinet - -
Fortigate-1240b Fortinet - -
Fortigate-200b Fortinet - -
Fortigate-20c Fortinet - -
Fortigate-300c Fortinet - -
Fortigate-3040b Fortinet - -
Fortigate-310b Fortinet - -
Fortigate-311b Fortinet - -
Fortigate-3140b Fortinet - -
Fortigate-3240c Fortinet - -
Fortigate-3810a Fortinet - -
Fortigate-3950b Fortinet - -
Fortigate-40c Fortinet - -
Fortigate-5001a-sw Fortinet - -
Fortigate-5001b Fortinet - -
Fortigate-5020 Fortinet - -
Fortigate-5060 Fortinet - -
Fortigate-50b Fortinet - -
Fortigate-5101c Fortinet - -
Fortigate-5140b Fortinet - -
Fortigate-600c Fortinet - -
Fortigate-60c Fortinet - -
Fortigate-620b Fortinet - -
Fortigate-800c Fortinet - -
Fortigate-80c Fortinet - -
Fortigate-voice-80c Fortinet - -
Fortigaterugged-100c Fortinet - -

Potential Mitigations

References