- Feb 4, 2016
- 2,520
FortiGuard Used Hardcoded Key, XOR to Encrypt Communications
- Thread starter LASER_oneXM
- Start date
Fortinet should be called Weakinet 
(it was easy i know)
(it was easy i know)
Let's keep in mind all of these products/services have exploits, loopholes, oversights, and even backdoors. Fortinet actually has several backdoors, including the ability of someone with extremely trivial knowledge of IT to fully backdoor the product with physical access to it. I can do it in about 60 seconds, even to the 3000+ series Fortinets. I don't actually even need physical access to do it, I can do it with a long probe through a hole in a cage.
In terms of recent years - Fortinet has gone down some paths that will yield, in my opinion, less security and confidentiality. They have been implicated for being 'lazy' in the past, for example the hard coded DuHK which was merely lazy support people wanting a Super-Admin password to bypass lengthy support calls. Fortinet was engineered to be an attractive product to sell to businesses promising compromised security while utilizing systems that will be impossible to result in uncompromised security.
So basically how this vulnerability works is;
Fortiguard Services as a rule do not download rulesets and databases to the device. The exception to this is the IPS/IDS module which downloads all of the rules to the device so there is no HC check on IPS/IDS via the FortiGuard services and also the Application Filtration Module. AV/WF/AntiSpam all reach out to the Fortiguard Services over SSL to authenticate traffic. This doesn't MiTM the traffic, it's just an authentication of the traffic as a classification of it. Once the return path is complete the device either authorizes or denies the activity.
In this case, Fortinet was discovered to be using hard coded keys for the SSL/TLS traffic for EVERY SINGLE DEVICE. They were cheap, they were lazy. Even more nefarious sounding is this key was used on every single FortiClient VPN installed user.
So what it allows is: Full knowledge of surfing activity. Full knowledge of file activity on system/business/endpoints. Full awareness of identification, location and activity of the VPN user. Please note this vuln does NOT require Forticlient installation (VPN or otherwise) as it is a compromise of FortiGuard servers, Fortigate appliances AND softwares.
They did disclose that this also reveals the serial number and other data on the fortinet device. But what was not disclosed is why this is extremely dangerous.. The aforementioned backdoor by me REQUIRES THE DEVICE SERIAL.
Also, and this was disclosed, there is no workaround for this other than to upgrade device firmware. However, I have advocated elsewhere that when a Fortinet is deployed it should use Application Filter and IPS/IDS ONLY, which doesn't rely on SSL/TLS realtime communication with FG servers. Using a Fortinet properly locked down, with full, maximum IPS/IDS settings and Fortimanager ports closed up is actually an extremely potent security device, but most IT guys don't get it.
Would I use a Fortinet at this juncture? Yes, only with AF/IPS modules enabled and using it as a strict Policy Based UTM and properly locked down. This vulnerability would not impact such a Fortinet and it also drops off what are likely more undisclosed vulns.
Protip: You can buy a legacy Fortigate appliance for cheap. Then manually load the IPS/IDS signature vault into the device and use it as a powerful firewall in the home. Sometimes for just $100 or so for a strong device like a 200B or whatever. In such a situation a Fortinet becomes an extremely potent home firewall without any licensing renewals and all of the vulns sealed up good and tight.
In terms of recent years - Fortinet has gone down some paths that will yield, in my opinion, less security and confidentiality. They have been implicated for being 'lazy' in the past, for example the hard coded DuHK which was merely lazy support people wanting a Super-Admin password to bypass lengthy support calls. Fortinet was engineered to be an attractive product to sell to businesses promising compromised security while utilizing systems that will be impossible to result in uncompromised security.
So basically how this vulnerability works is;
Fortiguard Services as a rule do not download rulesets and databases to the device. The exception to this is the IPS/IDS module which downloads all of the rules to the device so there is no HC check on IPS/IDS via the FortiGuard services and also the Application Filtration Module. AV/WF/AntiSpam all reach out to the Fortiguard Services over SSL to authenticate traffic. This doesn't MiTM the traffic, it's just an authentication of the traffic as a classification of it. Once the return path is complete the device either authorizes or denies the activity.
In this case, Fortinet was discovered to be using hard coded keys for the SSL/TLS traffic for EVERY SINGLE DEVICE. They were cheap, they were lazy. Even more nefarious sounding is this key was used on every single FortiClient VPN installed user.
So what it allows is: Full knowledge of surfing activity. Full knowledge of file activity on system/business/endpoints. Full awareness of identification, location and activity of the VPN user. Please note this vuln does NOT require Forticlient installation (VPN or otherwise) as it is a compromise of FortiGuard servers, Fortigate appliances AND softwares.
They did disclose that this also reveals the serial number and other data on the fortinet device. But what was not disclosed is why this is extremely dangerous.. The aforementioned backdoor by me REQUIRES THE DEVICE SERIAL.
Also, and this was disclosed, there is no workaround for this other than to upgrade device firmware. However, I have advocated elsewhere that when a Fortinet is deployed it should use Application Filter and IPS/IDS ONLY, which doesn't rely on SSL/TLS realtime communication with FG servers. Using a Fortinet properly locked down, with full, maximum IPS/IDS settings and Fortimanager ports closed up is actually an extremely potent security device, but most IT guys don't get it.
Would I use a Fortinet at this juncture? Yes, only with AF/IPS modules enabled and using it as a strict Policy Based UTM and properly locked down. This vulnerability would not impact such a Fortinet and it also drops off what are likely more undisclosed vulns.
Protip: You can buy a legacy Fortigate appliance for cheap. Then manually load the IPS/IDS signature vault into the device and use it as a powerful firewall in the home. Sometimes for just $100 or so for a strong device like a 200B or whatever. In such a situation a Fortinet becomes an extremely potent home firewall without any licensing renewals and all of the vulns sealed up good and tight.
Similar threads
