Encryption vulnerabilities in Fortinet products

[German]Fortinet's developers have shipped certain (security) products with hard-coded keys to encrypt communication. In addition, encryption was performed using an XOR function. However, 18 months after the notification, the vulnerabilities are fixed.

Fortinet is a US company that provides software and services in the field of information security, such as firewalls, antivirus programs, intrusion detection and endpoint security. It is the fourth largest network security company in terms of revenue.

Fixed encryption with XOR

Now the company has attracted attention through bad mistakes in its products. Yesterday I already became aware of the topic at Bleeping Computer via this article, but I also noticed it via this tweet.

Security researchers have noticed that Fortinet developers used weak encryption and static keys in several security products to communicate with FortiGuard services in the cloud. These include AntiSpam, AntiVirus and Web Filter.

Stefan Viehböck  discovered the bugs on 16 May 2018 and disclosed them to Fortinet. The analysis revealed that cloud communication was encoded using XOR ciphers and keys embedded in the products. Fortinet announced the vulnerability on November 20, 2019  in a security advisory.

Hardcoded cryptographic key in the FortiGuard services communication protocol

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages.

The issue affects versions of FortiOS (prior to 6.0.7 or 6.2.0), FortiClient for Windows prior to 6.2.0, and FortiClient for Mac prior to 6.2.2 released on March 28, 2019. Upgrading to the following product versions fixes these vulnerabilities, which allow confidential communication content to be disclosed.

  • Upgrade to FortiOS 6.0.7 or 6.2.0
  • Upgrade to FortiClientWindows 6.2.0
  • Upgrade to FortiClientMac 6.2.2

In a just published vulnerability report, SEC Consult Vulnerability Lab provides details about the vulnerability CVE-2018-9195. In addition, the security researchers provide proof-of-concept (PoC) code demonstrating the vulnerability of the unpatched products. Whoever uses the products should therefore update. Further details can be found in the linked articles.

This entry was posted in Security, Software and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *