Multiple cryptographic flaws allow for full LDAP and RADIUS passwords compromise Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-20-222 Final 1 1 2021-12-07T00:00:00 Current version 2021-12-07T00:00:00 2021-12-07T00:00:00 A missing cryptographic steps vulnerability [CWE-325] in the function that encrypts users LDAP and RADIUS credentials in FortiDDoS-F, FortiDDoS, FortiSandbox, FortiWeb, FortiADC, and FortiMail may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets. Execute unauthorized code or commands FortiDDoS-F version 6.3.0FortiDDoS-F version 6.2.0 through 6.2.2FortiDDoS-F version 6.1.0 through 6.1.4At leastFortiDDoS 5.5 all versionsFortiDDoS 5.4 all versionsFortiDDoS 5.3 all versionsFortiDDoS 5.2 all versionsFortiDDoS 5.1 all versionsFortiDDoS 5.0 all versionsFortiDDoS 4.7 all versionsFortiDDoS 4.6 all versionsFortiDDoS 4.5 all versionsFortiDDoS 4.4 all versionsFortiSandbox 4.0.0FortiSandbox 3.2.2 and below.FortiWeb versions 6.3.11 and below.FortiWeb versions 6.2.4 and below.FortiWeb versions 6.1.2 and below.FortiWeb versions 6.0.7 and below.FortiWeb versions 5.9.1 and below.FortiWeb versions 5.8.7 and below.FortiWeb versions 5.7.3 and below.FortiADC versions 6.2.1 and below.FortiADC versions 6.1.3 and below.FortiADC versions 6.0.3 and below.All FortiADC versions 5.x.FortiMail versions 7.0.1 and below.FortiMail versions 6.4.5 and below.FortiMail versions 6.2.7 and below.FortiMail versions 6.0.11 and below.All FortiMail versions 5.x.Note: FortiMail is only impacted when the mail data migration feature is enabled, in server mode (disabled by default). Gateway mode and transparent mode are not affected. Please upgrade to FortiDDoS-F version 6.3.1 or abovePlease upgrade to FortiDDoS-F version 6.2.3 or abovePlease upgrade to FortiDDoS-F version 6.1.5 or abovePlease upgrade to FortiDDoS version 5.7.0 or aboveUpgrade to FortiSandbox version 4.0.1 or above.Upgrade to FortiSandbox version 3.2.3 or above.Upgrade to FortiWeb version 6.3.12 or above.Upgrade to FortiWeb version 6.2.5 or above.Upgrade to FortiADC version 6.2.1 or above.Upgrade to FortiADC version 6.1.4 or above.*** Fix for FortiMail to be confirmed. ***FortiMail workaround: Disable the data migration feature, if in server mode (other modes are not impacted) Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team. CVE-2021-32591 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:X/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-20-222 Multiple cryptographic flaws allow for full LDAP and RADIUS passwords compromise Reference>