FortiOS local admin password could be obtained
Summary
A read-only administrator may have access to read-write administrators password hashes (not including super-admins) stored on the appliance via the webui REST API , and may therefore be able to crack them.
Description
A read-only administrator may have access to read-write administrators password hashes (not including super-admins) stored on the appliance via the webui REST API , and may therefore be able to crack them.
Affected Products
FortiOS
Solutions
- Upgrade to 5.4.2 GA * Upgrade to 5.2.10 GA Workarounds: 1. Use two-factor authentication in conjunction with local admins account or a remote authentication method like LDAP or RADIUS. 2. Use a strong password policy to prevent password from being cracked from a hash value.