CVE-2024-21754 — Use of Password Hash With Insufficient Computational Effort in Fortinet Fortios

CWE-916 — Use of Password Hash With Insufficient Computational Effort5 documents5 sources

Severity

4.4MEDIUMNVD

CNA1.8VulnCheck1.8

EPSS

4.9%

top 10.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedJun 11

Description

A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages4 packages

▶NVDfortinet/fortios7.2.0 — 7.2.9+3

▶NVDfortinet/fortiproxy7.4.0 — 7.4.3+3

▶CVEListV5fortinet/fortios7.4.0 — 7.4.3+3

▶CVEListV5fortinet/fortiproxy7.4.0 — 7.4.2+3

🔴Vulnerability Details

CVEList

CVE-2024-21754: A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7↗2024-06-11

▶

GHSA

GHSA-pg7p-9rpp-xjmx: A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7↗2024-06-11

▶

VulnCheck

Fortinet FortiOS and FortiProxy Backup File Weak Key Vulnerability↗2024

▶

📋Vendor Advisories

Fortinet

Weak key derivation for backup file↗2024-06-11

▶