Weak key derivation for backup file in FortiOS and FortiProxy
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-21754 |
| CWE-ID | CWE-916 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
FortiOS Operating systems & Components / Operating system FortiProxy Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Fortinet, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Use of Password Hash With Insufficient Computational Effort
EUVDB-ID: #VU91783
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-21754
CWE-ID:
CWE-916 - Use of Password Hash With Insufficient Computational Effort
Exploit availability: No
DescriptionThe vulnerability allows a local user to decrypt backup files.
The vulnerability exist due to usage of a weak key derivation for backup file. A local user with super-admin profile and CLI access can decrypting the backup file.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFortiOS: 6.4.0 - 7.4.3
FortiProxy: 2.0.0 - 7.4.2
External linkshttp://fortiguard.fortinet.com/psirt/FG-IR-23-423
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
