Missing Required Cryptographic Step in Fortinet, Inc products - CVE-2021-32591

 

Missing Required Cryptographic Step in Fortinet, Inc products - CVE-2021-32591

Published: December 7, 2021


Vulnerability identifier: #VU58633
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-32591
CWE-ID: CWE-325
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiSandbox
FortiWeb
FortiADC

Detailed vulnerability description

The vulnerability allows an attacker to compromise users' passwords.

The vulnerability exists due to missing cryptographic steps in the function that encrypts users' LDAP and RADIUS credentials. An attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.


How to mitigate CVE-2021-32591

Install updates from vendor's website.

Sources