Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1154 Clear-text insertion of user's passwords into log files 7 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiADCManager FortiADC Publisher: Fortinet Operating System: Network Appliance Impact/Access: Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-24024 Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-244 - --------------------------BEGIN INCLUDED TEXT-------------------- Clear-text insertion of user's passwords into log files IR Number : FG-IR-19-244 Date : Mar 01, 2021 Risk : 3/5 CVSSv3 Score : 4.3 Impact : Information disclosure CVE ID : CVE-2021-24024 Summary A clear text storage of sensitive information into log file vulnerability in FortiADCManager and FortiADC may allow a remote authenticated attacker to read other local users' password in log files. Impact Information disclosure Affected Products FortiADCManager versions 5.3.0 and below. FortiADCManager versions 5.2.1 and below. FortiADC versions 5.3.7 and below. Solutions Please upgrade to FortiADCManager versions 5.4.0 or above. Please upgrade to FortiADC versions 5.4.0 or above. Acknowledgement Fortinet is pleased to thank Danilo Costa from PBI Dynamic IT Security for reporting this vulnerability under responsible disclosure - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYGz38eNLKJtyKPYoAQiZ/Q//dD3EWFOKSC3dcS8Ji4d0el4xrGJ+9KPf YA2RzfvDseJldt8iOZ03Yv5jS51RrmGhUHXbKFXZdLskRn6r19yD5VCXENANuDh/ yYifzHl2HjsUqrYHBfFdAelbUi6YulF5pIiVOWB3pm0ya1M5Rax1fY70DPCFP/UH lt5RAdTaHD+2DXcrHVsirq4oR16dL14fnIrJd/I+zYTwRBzFgiMQVyqzYuOVsBlS tTV8YcV7qoyOvn2OCrxOzci3MX0eXV0erA0mrHI0p7U/+YzNAU3hhw9O1xpm5l+1 DHsWf3z9G4liRvJIR0uIzp2pLvRK1vQioGVdGqwtHsURBQ/mVymT1W2GrIzUqAfG tpWtU9n+fPjrDFwHSt7/J+IA9eK1D7PvWZwQhCh1uB8WqH3u9kpZe+YPoDeT9Ukm HuXCmCveai+GqAFMh4veTaKooz/H6RC9fwJZy+LC4oC3hWIiPpMtytYqsySTVSZO Jceb7Vz75J4qxsxLZvQYBezmrCyIOQEqUxIuBEZk62GY6XITrTpvr102aYng3bzO WcblmnyHaXsI9Vuo5FirHKoDdEr7VD+5luoz1MfoMfE1QngiS/kr/H1mcUk8B5gT pyCPT0zDR2KADzo/Qp+w9iOgmzcI/1DmqAIQXxynH7r8eaFCYG7mulhzgkSaRlUx 0IEPhkrT3qU= =PMGm -----END PGP SIGNATURE-----