[German]Fortinet’s developers have shipped certain (security) products with hard-coded keys to encrypt communication. In addition, encryption was performed using an XOR function. However, 18 months after the notification, the vulnerabilities are fixed.
Fortinet is a US company that provides software and services in the field of information security, such as firewalls, antivirus programs, intrusion detection and endpoint security. It is the fourth largest network security company in terms of revenue.
Fixed encryption with XOR
Now the company has attracted attention through bad mistakes in its products. Yesterday I already became aware of the topic at Bleeping Computer via this article, but I also noticed it via this tweet.
Some Fortinet products shipped with hardcoded encryption keys
– took Fortinet between 10 and 18 months to fix the issue
– hardcoded key allowed for passive interception of Fortinet product traffic
– also allowed active tampering with scan resultshttps://t.co/mbwwTb96qf pic.twitter.com/3hXbCQGyVu
— Catalin Cimpanu (@campuscodi) November 25, 2019
Security researchers have noticed that Fortinet developers used weak encryption and static keys in several security products to communicate with FortiGuard services in the cloud. These include AntiSpam, AntiVirus and Web Filter.
Stefan Viehböck discovered the bugs on 16 May 2018 and disclosed them to Fortinet. The analysis revealed that cloud communication was encoded using XOR ciphers and keys embedded in the products. Fortinet announced the vulnerability on November 20, 2019 in a security advisory.
Hardcoded cryptographic key in the FortiGuard services communication protocol
Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages.
The issue affects versions of FortiOS (prior to 6.0.7 or 6.2.0), FortiClient for Windows prior to 6.2.0, and FortiClient for Mac prior to 6.2.2 released on March 28, 2019. Upgrading to the following product versions fixes these vulnerabilities, which allow confidential communication content to be disclosed.
- Upgrade to FortiOS 6.0.7 or 6.2.0
- Upgrade to FortiClientWindows 6.2.0
- Upgrade to FortiClientMac 6.2.2
In a just published vulnerability report, SEC Consult Vulnerability Lab provides details about the vulnerability CVE-2018-9195. In addition, the security researchers provide proof-of-concept (PoC) code demonstrating the vulnerability of the unpatched products. Whoever uses the products should therefore update. Further details can be found in the linked articles.