Major information disclosure and eavesdropping slipup now fixed

UPDATED Cybersecurity vendor Fortinet took 18 months to strip its software of a flawed crypto cipher and hardcoded cryptographic keys, a security researcher has revealed.

A weak encryption cipher (XOR) and static cryptographic keys from three different Fortinet products had left users temporarily vulnerable to eavesdropping and manipulated server responses, the California-based company admitted in a security advisory published last week.

Impacted products included the FortiOS for FortiGate firewalls and FortiClient antivirus software for Mac and Windows, which used the XOR and hardcoded crypto keys to encrypt user traffic to and from FortiGate’s cloud-based Web Filter, anti-spam, and antivirus features.

System administrators with FortiOS 6.0.6, FortiClientWindows 6.0.6 or FortiClientMac 6.2.1 and below have been advised to upgrade immediately to the latest versions, which are free of the static encryption keys.

Unfortunately, it took Fortinet, which claims to have 375,000 customers, 10 months to release any fixes after initially being notified of the vulnerability by Stefan Viehböck, a researcher at SEC Consult.

In a recent blog post, Viehböck details how he had notified the company of the major security slipups in May of last year.

It then took another eight months before a final patch was issued, Viehböck said.

Information gathering

Once intercepted, Viehböck surmised, protocol messages containing product serial numbers could identify which Fortinet products an organization used.

Citing the Equation Group-Fortigate exploit as an example, he described such information as “valuable for information gathering”.

Attackers could also leverage the FortiClient serial number as a unique identifier to track an individual’s geographic movements.

Sent for testing to the Web Filter, full HTTP and even HTTPS links would be exposed too.

And attackers could obtain email data and antivirus data sent for testing to, respectively, the anti-spam and antivirus features, said Viehböck.

Johannes Greil, principal security consultant at SEC Consult, told The Daily Swig that an “active man-in-the-middle attack” wasn’t necessary to access information – “sniffing on some gateway/router” would suffice – but would “allow an attacker to manipulate those messages sent between the Fortinet software and the backend.”

He also noted that “some nation-state cyber surveillance programs also have the capability to monitor internet traffic.”

Fortinet's advisory said attackers with knowledge of the key could decrypt and modify URL/SPAM services in FortiOS 5.6, URL/SPAM/AV services in FortiOS 6.0, and the URL rating in FortiClient.

Despite a promising start – a same-day acknowledgement of his advisory on May 17, 2018 – Viehböck indicated that he only received a follow-up confirming that a fix was being devised three weeks later – after he twice informed the company that he would have to publicly disclose the bug.

But despite the “initial hiccups”, Greil praised Fortinet PSIRT’s handling of communication and “information exchange during the vulnerability resolution phase.”

It took Fortinet until November 13 to release the final patch, version 6.2.0 of FortiOS.

Viehböck has documented the vulnerability, including an explanation of how a Python 3 script can decrypt a FortiGuard message, in a post on the SEC Consult website.

This bug was arguably the most significant affecting Fortinet since the 2016 discovery and reverse-engineering of hardcoded SSH logins on FortiOS.

The Daily Swig has reached out to Fortinet for further comment.


This article has been updated with a corrected patch version number.


RELATED Google fixes XSS bug in Gmail’s dynamic email feature