PSIRT Advisories

FortiSandbox, FortiWeb, FortiADC, FortiMail - Multiple cryptographic flaws allow for full LDAP and RADIUS passwords compromise

Summary

A missing cryptographic steps vulnerability [CWE-325] in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox, FortiWeb, FortiADC, and FortiMail may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets. 

Affected Products

FortiSandbox 4.0.0

FortiSandbox 3.2.2 and below.

FortiWeb versions 6.3.11 and below.

FortiWeb versions 6.2.4 and below.

FortiWeb versions 6.1.2 and below.

FortiWeb versions 6.0.7 and below.

FortiWeb versions 5.9.1 and below.

FortiWeb versions 5.8.7 and below.

FortiWeb versions 5.7.3 and below.

FortiADC versions 6.2.1 and below.

FortiADC versions 6.1.3 and below.

FortiADC versions 6.0.3 and below.

All FortiADC versions 5.x.

FortiMail versions 7.0.1 and below.

FortiMail versions 6.4.5 and below.

FortiMail versions 6.2.7 and below.

FortiMail versions 6.0.11 and below.

All FortiMail versions 5.x.

Note: FortiMail is only impacted when the mail data migration feature is enabled, in server mode (disabled by default).  Gateway mode and transparent mode are not affected.

Solutions

Upgrade to FortiSandbox version 4.0.1 or above.

Upgrade to FortiSandbox version 3.2.3 or above.

Upgrade to FortiWeb version 6.3.12 or above.

Upgrade to FortiWeb version 6.2.5 or above.

Upgrade to FortiADC version 6.2.1 or above.

Upgrade to FortiADC version 6.1.4 or above.

FortiMail workaround: Disable the data migration feature, if in server mode (other modes are not impacted)

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.