CVE-2022-29054 — Generation of Predictable IV with CBC Mode in Fortinet Fortios

CWE-329 — Generation of Predictable IV with CBC Mode4 documents4 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 66.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedFeb 16

Description

A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt the DHCP and DNS keys in Fortinet FortiOS version 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.9, 6.2.x and 6.0.x may allow an attacker in possession of the encrypted key to decipher it.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶NVDfortinet/fortios7.0.0 — 7.0.8+4

▶CVEListV5fortinet/fortios7.0.0 — 7.0.7+4

▶NVDfortinet/fortiproxy7.0.0 — 7.0.8+5

▶CVEListV5fortinet/fortiproxy7.2.0 — 7.2.1+4

🔴Vulnerability Details

GHSA

GHSA-6jr5-896x-ff5x: A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt the DHCP and DNS keys in Fortinet FortiOS version 7↗2023-02-16

▶

CVEList

CVE-2022-29054: A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt the DHCP and DNS keys in Fortinet FortiOS version 7↗2023-02-16

▶

📋Vendor Advisories

Fortinet

Flaws over DHCP and DNS keys encryption scheme↗2023-02-16

▶