Weak key derivation for backup file

Summary

A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS and FortiProxy may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above
FortiOS 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above
FortiOS 7.0 7.0 all versions Migrate to a fixed release
FortiOS 6.4 6.4 all versions Migrate to a fixed release
FortiProxy 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiProxy 7.2 7.2 all versions Migrate to a fixed release
FortiProxy 7.0 7.0 all versions Migrate to a fixed release
FortiProxy 2.0 2.0 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Fortinet is pleased to thank Hendrik Eckardt and Matthias Barkhausen from G DATA Advanced Analytics for reporting this vulnerability under responsible disclosure.

Timeline

2024-06-11: Initial publication
2024-09-04: Fixed versions updated