CVE-2024-32122 - How Fortinet FortiOS (7.2.–7.2.1) Stored Passwords Insecurely – Exploit Details and Mitigation

Published: June 2024
Author: Security Insight

Overview

In June 2024, a critical vulnerability was published as CVE-2024-32122, affecting Fortinet’s FortiOS, specifically versions 7.2. and 7.2.1. This bug allows attackers to recover passwords stored in a reversible format. Combined with another configuration trick, attackers can extract these passwords by redirecting FortiOS’s LDAP server connections to their own malicious server.

This article will break down what happened, show you code examples, and explain how the exploit works in simple words.

What’s at risk: Passwords used for LDAP authentication in FortiOS devices.

- How: FortiOS stored LDAP credentials in a retrievable format (not cryptographically hashed, but reversible).
- The Trick: If an attacker can modify the LDAP server IP in the FortiOS config, they can make the device send saved passwords directly to a server they control.

1. Password Storage in FortiOS 7.2.–7.2.1

In FortiOS, LDAP server credentials are stored in the configuration file under config user ldap. Instead of being hashed (which means one-way encryption), they’re stored reversibly — often encoded or obfuscated but not secure. If you can view the config file, you can recover the actual password.

Example: LDAP Config Snippet

config user ldap
    edit "example-ldap"
        set server "10...5"
        set cnid "uid"
        set dn "dc=corp,dc=example,dc=com"
        set type regular
        set username "ldap-admin"
        set password ENC XYZ123456789abcde
    next
end

Here, the set password ENC ... is the "encrypted" (really, just encoded) password.

Attack Pre-Requisites

- The attacker must have administrative access or use some path to modify the LDAP server IP address in the FortiOS configuration.
- The system must connect (for user authentication or testing) to the LDAP server (now under attacker control) and send the credentials.

Wait for Connection:

- When the FortiOS unit tries to authenticate a user (or an admin runs a connectivity test), it connects to the attacker's server, presenting the _reversibly-stored_ LDAP username and password.

Password Capture:

- The attacker's server logs these credentials—now the attacker owns the LDAP username and password, which may be privileged.

Python Snippet: Attacker’s LDAP Listener (Simple Example)

Below is a minimal listener that can be used to catch username and password sent from the FortiOS device:

# Simple rogue LDAP server (for testing, not for real attacks)
import socket

HOST = '...'
PORT = 389  # LDAP default port

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.bind((HOST, PORT))
    s.listen(1)
    print(f"[*] Rogue LDAP server listening on {HOST}:{PORT} ...")
    conn, addr = s.accept()
    with conn:
        print(f"[+] Connection from {addr}")
        data = conn.recv(1024)
        print("[*] Raw Data:", data)
        # With more code, decode LDAP bind requests to get credentials.

Why is This So Bad?

- Real-World Impact: The retrieved credentials are often powerful (admin or service accounts), so an attacker can take over your domain or access other critical systems.
- Not Just Local: If FortiOS is used for authentication in multiple places, this becomes a single point of compromise.

Patch Now:

Fortinet has fixed this in later FortiOS versions. Update immediately if you’re running 7.2. or 7.2.1.

Audit Configuration Access:

Only trusted administrators should be allowed to modify FortiOS configs. Monitor for unauthorized changes.

Original Fortinet Advisory:

https://www.fortinet.com/blog/psirt-blogs/cve-2024-32122-fortios-ldap-password-exposure

NVD Entry:

https://nvd.nist.gov/vuln/detail/CVE-2024-32122

**Exploit Discussion

Hacker News Thread (Example)

LDAP Exploitation Techniques:

https://book.hacktricks.xyz/network-services-pentesting/389-ldap-service-pentesting

Conclusion

CVE-2024-32122 in FortiOS 7.2.–7.2.1 is a textbook example of why storing passwords in a way they can be easily retrieved is a dangerous design. By changing the LDAP server pointer, an attacker can simply trick the device into giving up the secrets.

If you run a Fortinet firewall or VPN using LDAP, patch now, check your configs, and rotate your credentials.

Stay safe and secure — and keep your passwords properly protected!


*This article is original content from Security Insight, June 2024. If you’ve found it useful, share with your sysadmin friends and make the Internet a safer place.*

Timeline

Published on: 04/08/2025 14:15:31 UTC
Last modified on: 04/08/2025 18:13:53 UTC