CVE-2024-21754 Overview
CVE-2024-21754 is a cryptographic vulnerability involving the use of password hash with insufficient computational effort (CWE-916) affecting Fortinet's FortiOS and FortiProxy products. This weakness allows a privileged attacker with super-admin profile and CLI access to potentially decrypt backup files, exposing sensitive configuration data and credentials stored within.
The vulnerability stems from inadequate hashing algorithms used to protect password data in configuration backups. While exploitation requires high privileges (super-admin access), the impact on confidentiality is significant as backup files often contain critical network infrastructure configurations and authentication credentials.
Critical Impact
Privileged attackers with super-admin access and CLI capabilities can decrypt FortiOS and FortiProxy backup files, potentially exposing sensitive credentials and configuration data.
Affected Products
- Fortinet FortiOS version 7.4.3 and below
- Fortinet FortiOS versions 7.2.x, 7.0.x, and 6.4.x (all versions)
- Fortinet FortiProxy version 7.4.2 and below
- Fortinet FortiProxy versions 7.2.x, 7.0.x, and 2.0.x (all versions)
Discovery Timeline
- 2024-06-11 - CVE-2024-21754 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21754
Vulnerability Analysis
This vulnerability falls under the category of Weak Hash Algorithm (CWE-916: Use of Password Hash with Insufficient Computational Effort). The core issue lies in how FortiOS and FortiProxy generate and store password hashes within backup files.
When administrators create configuration backups, the system stores password data using a hashing mechanism that lacks sufficient computational complexity. Modern password hashing algorithms like bcrypt, scrypt, or Argon2 are designed with adjustable work factors that make brute-force attacks computationally expensive. The vulnerability indicates that the hashing implementation in affected Fortinet products does not meet these security standards.
An attacker who obtains a backup file and possesses super-admin privileges with CLI access can leverage this weakness to recover plaintext passwords from the hash values. This attack requires local access to the system, which somewhat limits the attack surface, but the potential for credential recovery makes it a serious concern for enterprise environments.
Root Cause
The root cause of CVE-2024-21754 is the implementation of a password hashing algorithm that does not require sufficient computational resources to compute. This design flaw makes it feasible for attackers to perform offline brute-force or dictionary attacks against password hashes extracted from backup files.
Proper password storage should use adaptive hashing functions with configurable iteration counts or memory-hard functions that significantly increase the time and resources required to test password candidates. The affected versions of FortiOS and FortiProxy fail to implement these protections adequately.
Attack Vector
The attack vector for CVE-2024-21754 is local, requiring the attacker to already have super-admin privileges and CLI access to the Fortinet device. The typical attack scenario involves:
- An attacker with elevated privileges accesses the FortiOS or FortiProxy CLI
- The attacker exports or obtains a configuration backup file
- Using knowledge of the weak hashing algorithm, the attacker extracts password hashes from the backup
- The attacker performs offline password cracking against the extracted hashes
- Due to insufficient computational effort in the hashing, passwords can be recovered more easily than expected
This vulnerability does not require user interaction and has no impact on integrity or availability—it solely affects confidentiality by enabling credential disclosure.
Detection Methods for CVE-2024-21754
Indicators of Compromise
- Unexpected backup file creation or export operations on FortiOS/FortiProxy devices
- Unusual CLI access patterns by super-admin accounts, especially during off-hours
- Backup files being transferred to unauthorized destinations or external storage
- Multiple failed or successful authentication attempts from previously unknown sources after backup access
Detection Strategies
- Monitor and audit all backup creation and export activities on Fortinet devices
- Implement logging for all super-admin CLI sessions and review logs for anomalous activity
- Deploy file integrity monitoring on backup storage locations to detect unauthorized access
- Correlate backup access events with subsequent authentication patterns that may indicate credential compromise
Monitoring Recommendations
- Enable comprehensive logging on FortiOS and FortiProxy devices with centralized log collection
- Configure alerts for backup file operations and CLI access by privileged accounts
- Implement behavioral analytics to detect unusual administrative activity patterns
- Review super-admin account activity regularly and restrict CLI access to essential personnel only
How to Mitigate CVE-2024-21754
Immediate Actions Required
- Upgrade FortiOS to version 7.4.4 or later to address this vulnerability
- Upgrade FortiProxy to version 7.4.3 or later
- Review and rotate all passwords that may have been stored in previously created backup files
- Restrict super-admin privileges to essential personnel only and enforce principle of least privilege
- Audit access to existing backup files and ensure they are stored securely with encryption at rest
Patch Information
Fortinet has released security patches addressing this vulnerability. Administrators should consult the Fortinet PSIRT Advisory FG-IR-23-423 for detailed upgrade guidance and version-specific remediation instructions.
For FortiOS, upgrade to version 7.4.4 or later. For FortiProxy, upgrade to version 7.4.3 or later. Organizations running versions in the 7.2.x, 7.0.x, 6.4.x (FortiOS), or 2.0.x (FortiProxy) branches should consult Fortinet's advisory for specific upgrade paths.
Workarounds
- Encrypt all backup files with strong encryption before storage using external encryption tools
- Store backup files in secured, access-controlled locations with audit logging enabled
- Limit super-admin account creation and enforce strict access controls on administrative accounts
- Implement network segmentation to restrict CLI access to dedicated management networks only
- Consider using hardware security modules (HSMs) for additional credential protection where available
# Configuration example for restricting admin access
config system admin
edit "admin_user"
set accprofile "super_admin"
set trusthost1 10.0.0.0 255.255.255.0
set force-password-change enable
next
end
# Enable comprehensive logging
config log setting
set fwpolicy-implicit-log enable
set local-in-allow enable
set local-in-deny-unicast enable
set local-out enable
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
