FortiSandbox, FortiWeb, FortiADC, FortiMail - Multiple cryptographic flaws allow for full LDAP and RADIUS passwords compromise


A missing cryptographic steps vulnerability [CWE-325] in the function that encrypts users' LDAP and RADIUS credentials in FortiDDoS-F, FortiDDoS, FortiSandbox, FortiWeb, FortiADC, and FortiMail may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets. 

Affected Products

FortiDDoS-F version 6.3.0
FortiDDoS-F version 6.2.0 through 6.2.2
FortiDDoS-F version 6.1.0 through 6.1.4

At least
FortiDDoS 5.5 all versions
FortiDDoS 5.4 all versions
FortiDDoS 5.3 all versions
FortiDDoS 5.2 all versions
FortiDDoS 5.1 all versions
FortiDDoS 5.0 all versions
FortiDDoS 4.7 all versions
FortiDDoS 4.6 all versions
FortiDDoS 4.5 all versions
FortiDDoS 4.4 all versions
FortiSandbox 4.0.0
FortiSandbox 3.2.2 and below.

FortiWeb versions 6.3.11 and below.
FortiWeb versions 6.2.4 and below.
FortiWeb versions 6.1.2 and below.
FortiWeb versions 6.0.7 and below.
FortiWeb versions 5.9.1 and below.
FortiWeb versions 5.8.7 and below.
FortiWeb versions 5.7.3 and below.

FortiADC versions 6.2.1 and below.
FortiADC versions 6.1.3 and below.
FortiADC versions 6.0.3 and below.
All FortiADC versions 5.x.

FortiMail versions 7.0.1 and below.
FortiMail versions 6.4.5 and below.
FortiMail versions 6.2.7 and below.
FortiMail versions 6.0.11 and below.
All FortiMail versions 5.x.

Note: FortiMail is only impacted when the mail data migration feature is enabled, in server mode (disabled by default).  Gateway mode and transparent mode are not affected.


Please upgrade to FortiDDoS-F version 6.3.1 or above
Please upgrade to FortiDDoS-F version 6.2.3 or above
Please upgrade to FortiDDoS-F version 6.1.5 or above

Please upgrade to FortiDDoS version 5.7.0 or above

Upgrade to FortiSandbox version 4.0.1 or above.
Upgrade to FortiSandbox version 3.2.3 or above.

Upgrade to FortiWeb version 6.3.12 or above.
Upgrade to FortiWeb version 6.2.5 or above.

Upgrade to FortiADC version 6.2.1 or above.
Upgrade to FortiADC version 6.1.4 or above.

*** Fix for FortiMail to be confirmed. ***

FortiMail workaround: Disable the data migration feature, if in server mode (other modes are not impacted)


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.