Multiple cryptographic flaws allow for full LDAP and RADIUS passwords compromise

Summary

A missing cryptographic steps vulnerability [CWE-325] in the function that encrypts users LDAP and RADIUS credentials in FortiDDoS-F, FortiDDoS, FortiSandbox, FortiWeb, FortiADC, and FortiMail may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.

Affected Products

FortiDDoS-F version 6.3.0
FortiDDoS-F version 6.2.0 through 6.2.2
FortiDDoS-F version 6.1.0 through 6.1.4
At least
FortiDDoS 5.5 all versions
FortiDDoS 5.4 all versions
FortiDDoS 5.3 all versions
FortiDDoS 5.2 all versions
FortiDDoS 5.1 all versions
FortiDDoS 5.0 all versions
FortiDDoS 4.7 all versions
FortiDDoS 4.6 all versions
FortiDDoS 4.5 all versions
FortiDDoS 4.4 all versions
FortiSandbox 4.0.0
FortiSandbox 3.2.2 and below.
FortiWeb versions 6.3.11 and below.
FortiWeb versions 6.2.4 and below.
FortiWeb versions 6.1.2 and below.
FortiWeb versions 6.0.7 and below.
FortiWeb versions 5.9.1 and below.
FortiWeb versions 5.8.7 and below.
FortiWeb versions 5.7.3 and below.
FortiADC versions 6.2.1 and below.
FortiADC versions 6.1.3 and below.
FortiADC versions 6.0.3 and below.
All FortiADC versions 5.x.
FortiMail versions 7.0.1 and below.
FortiMail versions 6.4.5 and below.
FortiMail versions 6.2.7 and below.
FortiMail versions 6.0.11 and below.
All FortiMail versions 5.x.
Note: FortiMail is only impacted when the mail data migration feature is enabled, in server mode (disabled by default). Gateway mode and transparent mode are not affected.

Solutions

Please upgrade to FortiDDoS-F version 6.3.1 or above
Please upgrade to FortiDDoS-F version 6.2.3 or above
Please upgrade to FortiDDoS-F version 6.1.5 or above
Please upgrade to FortiDDoS version 5.7.0 or above
Upgrade to FortiSandbox version 4.0.1 or above.
Upgrade to FortiSandbox version 3.2.3 or above.
Upgrade to FortiWeb version 6.3.12 or above.
Upgrade to FortiWeb version 6.2.5 or above.
Upgrade to FortiADC version 6.2.1 or above.
Upgrade to FortiADC version 6.1.4 or above.
Fix for FortiMail to be confirmed.
FortiMail workaround: Disable the data migration feature, if in server mode (other modes are not impacted)

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.

Timeline

2021-12-07: Initial publication