In May 2018, information security specialist from SEC Consult Stefan Viehböck discovered problems in three Fortinet products. It turned out that FortiOS for FortiGate and FortiClient antivirus for Mac and Windows used a weak cipher (XOR), and also contained hard-coded keys for communication with various cloud services.
So, these keys were used to encrypt user traffic while running the functions of the web filter, antispam and antivirus in FortiGuard. As a result, an attacker who can monitor the traffic of a user or company could use hard-coded keys and decrypt this data stream. In this case, the hands of the attacker could be:
- Full HTTP or HTTPS links visited by users that are checked by Web Filter
- Email data that is being tested through AntiSpam
- anti-virus data that is passed for testing to the Fortinet cloud.
Also, the attacker was able to use keys to modify and re-encrypt server responses, which, for example, allowed to distort warnings about the detection of malvari or dangerous URLs.
As mentioned above, it took a long time to fix these problems. So, Fortinet engineers removed the key from the latest versions of FortiOS only in March 2019, ten months after the detection of the bug. It took another eight months to remove the keys from the old versions, and the last patch was released only in November 2019.
Now to users recommended As soon as possible, upgrade FortiOS to versions 6.0.7 or 6.2.0, FortiClientWindows to version 6.2.0 and FortiClientMac to version 6.2.2.