PSIRTDUHK Attack against Fortinet Products
Summary
When devices use ANSI X9.31 RNG (which was removed from the list of FIPS-approved random number generation algorithms in January 2016) to generate cryptographic key under a static seed and under use with long-lived security tunnels like SSL/TLS/SSH/IPSec, such devices are vulnerable to the DUHK attack.
Affected Products
For FortiOS:
FortiOS only affect 4.3.0 to 4.3.18 versions [1]:
* FortiOS 4.3.19 and 5.0.0 above are not affected
* FortiOS 4.2 and below versions are not affected
The following products are NOT affected [2]:
FortiAP
FortiSwitch
FortiAnalyzer
[1] FortiOS 4.3 used to implement the ANSI X9.31 RNG to decrypt TLS/IPSec traffic.
[2] Either X9.31 not been used or not meet the vulnerable conditions.
Solutions
For FortiOS upgrade to FortiOS 4.3.19, 5.0.0 or above [3].
[3] It is now superseded by the CTR_DRBG implementation as per the NIST SP800-90 recommendations since FortiOS 5.0.0 GA release.
Revision
2016-11-22 Initial version. FortiOS DUHK attack vulnerability fixed.
2017-11-23 Add assessment for other products.
Acknowledgement
Fortinet is pleased to thank Matthew D. Green of the Johns Hopkins University and Shaanan Cohney of University of Pennsylvania for reporting this vulnerability under responsible disclosure.