PSIRT Advisories

FortiAuthenticator - Hard-coded cryptographic keys used to encrypt sensitive data

Summary

Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key.

Affected Products

FortiAuthenticator versions below 6.3.0.

Solutions

Please upgrade to FortiAuthenticator version 6.3.0 or above.

Acknowledgement

Fortinet is pleased to thank Steven Shockley for reporting this issue under responsible disclosure.