FortiOS & FortiProxy - Flaws over keytab encryption scheme


A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt keytab values in FortiOS & FortiProxy may allow an attacker in possession of the encrypted secret to decipher it.

Affected Products

FortiOS version 7.2.0
FortiOS version 7.0.0 through 7.0.5
FortiOS 6.4 all versions
FortiOS 6.2 all versions
FortiOS 6.0 all versions
FortiProxy version 7.0.0 through 7.0.4
FortiProxy 2.0 all versions
FortiProxy 1.2 all versions
FortiProxy version 1.1.2 and above


Upgrade to FortiOS version 7.2.1 or above.
Upgrade to FortiOS version 7.0.6 or above.

Upgrade to FortiProxy version 7.2.0 or above.
Upgrade to FortiProxy version 7.0.5 or above.


Internally discovered and reported by Théo Leleu of Fortinet Product Security team.