[FortiAuthenticator & FortiInsight] Symmetric encryption keys for debug logs, config files and users passwords are the same among all appliances

[FortiAuthenticator & FortiInsight] Symmetric encryption keys for debug logs, config files and users passwords are the same among all appliances Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-20-049 Final 1 1 2021-06-01T00:00:00 Current version 2021-06-01T00:00:00 2021-06-01T00:00:00 Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key. Information disclosure FortiAuthenticator versions below 6.3.0. Please upgrade to FortiAuthenticator version 6.3.0 or above. Fortinet is pleased to thank Steven Shockley for reporting this issue under responsible disclosure. [FortiAuthenticator & FortiInsight] Symmetric encryption keys for debug logs, config files and users passwords are the same among all appliances CVE-2021-24005 3.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-20-049 [FortiAuthenticator & FortiInsight] Symmetric encryption keys for debug logs, config files and users passwords are the same among all appliances Reference>