FortiOS/FortiProxy7.4.3 weak pwdhash backup decryption
CVE-2024-21754 Published on June 11, 2024
A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.
Vulnerability Analysis
CVE-2024-21754 is exploitable with local system access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Use of Password Hash With Insufficient Computational Effort
The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Products Associated with CVE-2024-21754
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-21754 are published in these products:
Affected Versions
Fortinet FortiProxy:- Version 7.4.0, <= 7.4.2 is affected.
- Version 7.2.0, <= 7.2.10 is affected.
- Version 7.0.0, <= 7.0.17 is affected.
- Version 2.0.0, <= 2.0.14 is affected.
- Version 7.4.0, <= 7.4.3 is affected.
- Version 7.2.0, <= 7.2.8 is affected.
- Version 7.0.0, <= 7.0.15 is affected.
- Version 6.4.0, <= 6.4.15 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.