Some Fortinet products shipped with hardcoded encryption keys

It took Fortinet 18 months to fix the issue. Updates are now out.

Fortinet

Image: Fortinet, ZDNet

Fortinet, a vendor of cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception.

The hardcoded encryption key was found inside the FortiOS for FortiGate firewalls and the FortiClient endpoint protection software (antivirus) for Mac and Windows.

These three products used a weak encryption cipher (XOR) and hardcoded cryptographic keys to communicate with various FortiGate cloud services.

The hardcoded keys were used to encrypt user traffic for the FortiGuard Web Filter feature, FortiGuard AntiSpam feature, and FortiGuard AntiVirus feature.

A threat actor in a position to observe a user or a company's traffic would have been able to take the hardcoded encryption keys and decrypt this weakly encrypted data stream. Depending on what product a company was using, the attacker would have learned:

- Full HTTP or HTTPS links for users' web surfing activity (sent for testing to the Web Filter feature)
- Email data sent for testing to the AntiSpam feature)
- Antivirus data (sent for testing to the (Fortinet cloud) AntiVirus feature)

But besides sniffing a user's traffic, the attacker could have also used the same hardcoded encryption key to alter and re-encrypt responses, neutering alerts for malware detections or bad URLs.

It took months to get this fixed

The issues were discovered in May 2018 by Stefan Viehböck, a security researcher for SEC Consult. The process of reporting and having these issues fixed by Fortinet has been abnormally long and slow.

For example, while most companies acknowledge bug reports on the same day, it took three weeks until a Fortinet employee got on the case.

Fixing the bugs took even longer. Fortinet removed the encryption key from recent versions of FortiOS only in March 2019, ten months after the initial report.

It then took another eight months to remove the encryption keys from older versions, with the last patch being released earlier this month.

Below are the impacted Fortinet products:

  • FortiOS 6.0.6 and below
  • FortiClientWindows 6.0.6 and below
  • FortiClientMac 6.2.1 and below

System administrators are advised to apply the following patches to remove the hardcoded encryption keys:

  • FortiOS 6.0.7 or 6.2.0
  • FortiClientWindows 6.2.0
  • FortiClientMac 6.2.2

Contacted by ZDNet, a Fortinet spokesperson explained why the company took so much time with fixing the reported issues:

"The security of our customers is top priority at Fortinet. Once the issue was disclosed to Fortinet, we immediately began working with our internal research team to develop software updates for the affected products. As part of that process, the team took time to architect a solution while protecting the connection to FortiGuard Services for our customers. Keeping with our responsible disclosure policies to protect customers, Fortinet does not distribute an advisory until all solutions are in place, tested, and in place for the affected products."

Viehböc's write-up and demo code is available on the SEC Consult website. Fortinet's security advisory is available here.

Article updated on November 26 with comment from Fortinet.