FortiOS & FortiProxy - SMTP password ciphertext exposure in Log

Summary

An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS / FortiProxy log events may allow a remote authenticated attacker to read certain passwords in ciphertext.

Version Affected Solution
FortiOS 7.4 Not affected Not Applicable
FortiOS 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiOS 7.0 7.0 all versions Migrate to a fixed release
FortiOS 6.4 6.4 all versions Migrate to a fixed release
FortiOS 6.2 6.2 all versions Migrate to a fixed release
FortiOS 6.0 6.0 all versions Migrate to a fixed release
FortiProxy 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiProxy 7.0 7.0 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Internally discovered and reported by Goutham Dhongadi Rukmasah of Fortinet R&D team.

Timeline

2023-05-12: Initial publication