CVE-2022-29054: 
FortiOS vulnerability analysis and mitigation

A missing cryptographic steps vulnerability [CWE-325] was identified in Fortinet FortiOS versions 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.9, 6.2.x and 6.0.x. The vulnerability was disclosed on February 16, 2023, and assigned CVE-2022-29054. This security flaw affects the functions responsible for encrypting DHCP and DNS keys in the FortiOS system (NVD, Fortinet Advisory).

The vulnerability is classified as a missing cryptographic steps issue with a CVSS v3.1 Base Score of 3.3 (Low severity). The attack vector is Local (AV:L), with Low attack complexity (AC:L), requiring Low privileges (PR:L), and No user interaction (UI:N). The scope is Unchanged (S:U), with Low confidentiality impact (C:L), and No impact on integrity (I:N) or availability (A:N) (NVD).

If exploited, this vulnerability could allow an attacker who has possession of the encrypted key to successfully decipher it, potentially compromising the security of DHCP and DNS communications (NVD).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to the latest version of FortiOS that contains the fix. The specific versions that include the patch vary depending on the branch: FortiOS 7.0.8 or later for 7.0.x branch, and FortiOS 7.2.1 or later for 7.2.x branch (Fortinet Advisory).