PSIRT Advisories

FortiOS - Flaws over keytab encryption scheme


A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt keytab values in FortiOS may allow an attacker in possession of the encrypted secret to decipher it.

Affected Products

At least
FortiOS version 7.2.0
FortiOS version 7.0.0 through 7.0.5
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS version 6.0.0 through 6.0.15


Upgrade to FortiOS version 7.2.1 or above.

Upgrade to FortiOS version 7.0.6 or above.


Internally discovered and reported by Théo Leleu of Fortinet Product Security team.