'Re: SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products
From:       SEC Consult Vulnerability Lab <research () sec-consult ! com>
Date:       2019-11-27 7:45:05
Message-ID: e270385c-d165-2947-1116-268a66d15f44 () sec-consult ! com
[Download RAW message or body]


Hi,

we received incorrect version information during the coordination phase thus our \
initial advisory stated that FortiOS v6.0.7 fixes the issue. Fortinet has just now \
confirmed that only v6.2.0 includes the patch. See their advisory: \
https://fortiguard.com/psirt/FG-IR-18-100

SEC Consult Vulnerability Lab


On 25.11.19 14:43, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20191125-0 >
> =======================================================================
> title: FortiGuard XOR Encryption
> product: Multiple Fortinet Products (see Vulnerable / tested versions)
> vulnerable version: Multiple (see Vulnerable / tested versions)
> fixed version: Multiple (see Solution)
> CVE number: CVE-2018-9195
> impact: High
> homepage: https://www.fortinet.com
> found: 2018-05-16
> 
> by: Stefan Viehböck (Office Vienna)
> SEC Consult Vulnerability Lab
> 
> An integrated part of SEC Consult
> Europe | Asia | North America
> 
> https://www.sec-consult.com
> 
> =======================================================================
> 
> Vendor description:
> -------------------
> "From the start, the Fortinet vision has been to deliver broad, truly
> integrated, high-performance security across the IT infrastructure.
> 
> We provide top-rated network and content security, as well as secure access
> products that share intelligence and work together to form a cooperative
> fabric. Our unique security fabric combines Security Processors, an intuitive
> operating system, and applied threat intelligence to give you proven security,
> exceptional performance, and better visibility and control--while providing
> easier administration."
> 
> Source: https://www.fortinet.com/corporate/about-us/about-us.html
> 
> 
> Business recommendation:
> ------------------------
> The vendor provides a patch and users of affected products are urged to
> immediately upgrade to the latest version available.
> 
> 
> Vulnerability overview/description:
> -----------------------------------
> Fortinet products, including FortiGate and Forticlient regularly send
> information to Fortinet servers (DNS: guard.fortinet.com) on
> - UDP ports 53, 8888 and
> - TCP port 80 (HTTP POST /fgdsvc)
> 
> This cloud communication is used for the FortiGuard Web Filter feature \
> (https://fortiguard.com/webfilter), FortiGuard AntiSpam feature \
> (https://fortiguard.com/updates/antispam) and FortiGuard AntiVirus feature \
> (https://fortiguard.com/updates/antivirus). 
> The messages are encrypted using XOR "encryption" with a static key.
> 
> 
> The protocol messages contain the following types of information:
> 
> **Serial number of the Fortinet product installation** (product type + unique ID).
> This information allows an attacker who can **passively monitor** internet traffic \
>                 to:
> - learn which Fortinet products and product types an organization uses
> (this is valuable for information gathering, see EquationGroup Fortigate exploits)
> - learn which FortiClient installations are part of an organization
> - use the FortiClient serial number as a unique identifier to track an individual \
> as he/she travels the world
> 
> 
> **Full HTTP URLs of users web surfing activity** (Web Filter feature).
> This information allows an attacker who can **passively monitor** internet traffic
> to spy on users' web surfing activity. In cases where SSL inspection is enabled,
> even the URLs of HTTPS-encrypted communication are sent via this protocol,
> effectively breaking the confidentiality of SSL/TLS.
> 
> 
> **Unspecified email data** (AntiSpam feature).
> We do not have any further information on what kind of information is sent by the
> AntiSpam feature.
> 
> 
> **Unspecified AntiVirus data** (AntiVirus feature).
> We do not have any further information on what kind of information is sent by the
> AntiVirus feature.
> 
> 
> By **intercepting and manipulating** internet traffic an attacker can:
> Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus \
> features. 
> 
> Proof of concept:
> -----------------
> The following Python 3 script decrypts a FortiGuard message (the static XOR key
> has been removed from this advisory).
> 
> 
> ```python
> from itertools import cycle
> 
> def forti_xor(s1):
> xor_key = **removed**
> message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key)))
> return message
> 
> r1=bytes.fromhex('6968766f606e776c2d2d21262138475c5b5a475b545e475c6b6a776b646e776c6b6a772b646e776c6b6a776b646e776c6b6a776bbadf04036b6a776c616a846f')
>  
> print(repr(forti_xor(r1)))
> ```
> 
> In this case the encrypted message contents are:
> '\x02\x02\x01\x04\x04\x00\x00\x00FGVMEV0000000000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00...'
>  
> 
> Another example:
> '\x02\x01\x02\x04úI\x03\x00FG100D3G00000000\x00\x00\...x00\x00+https://v10.vortex-win.data.microsoft.com/\x00'
>  
> 
> Vulnerable / tested versions:
> -----------------------------
> The following FortiOS versions are affected according to the vendor:
> * FortiOS 6.0.6 and below
> * FortiClientWindows 6.0.6 and below
> * FortiClientMac 6.2.1 and below
> 
> 
> The security advisory of the vendor can be found at:
> https://fortiguard.com/psirt/FG-IR-18-100
> 
> 
> Vendor contact timeline:
> ------------------------
> 2018-05-17: Contacting vendor through psirt@fortinet.com, sending advisory with
> public PGP key
> 2018-05-17: Auto-Response: "Thank you for contacting us regarding your
> inquiry. We have created a PSIRT ticket for this inquiry"
> 2018-05-17: Response: "Thank you to report us this vulnerability. I created
> an internal incident and I will communicate further with you while
> I'm investigating the impact of this."
> 2018-05-28: Requesting update, "If we don't get an appropriate response (see my
> initial email) by the end of next week, we will consider disclosing
> the vulnerability without further coordination."
> 2018-05-28: Auto-Response: "Thank you for contacting us regarding your inquiry.
> We have created a PSIRT ticket for this inquiry"
> 2018-06-05: Requesting update again, "This is the final attempt to contact you",
> plus reaching out to Fortinet via Twitter, LinkedIn.
> 2018-06-05: First response after 3 weeks, developers are working on a fix,
> "Please therefore kindly wait for further updates, while we are
> coordinating various stakeholders (including FortiGuard servers
> maintainers) for a fix."
> 2018-06-06: Requesting conference call.
> 2018-06 - 2019-11: Multiple conference calls, discussing technical details, \
> agreeing on disclosure time
> 2019-03-28: Fix released in FortiOS 6.2.0
> 2019-04-01: Fix issued on FortiGuard server side
> 2019-11-13: Fix released for FortiOS branch 6.0, version 6.0.7
> 2019-11-25: Public release of security advisory
> 
> 
> 
> Solution:
> ---------
> The vendor provides updated versions for the affected products:
> * FortiOS 6.0.7 or 6.2.0
> * FortiClientWindows 6.2.0
> * FortiClientMac 6.2.2
> 
> The security advisory of the vendor can be found at: \
> https://fortiguard.com/psirt/FG-IR-18-100 
> 
> Workaround:
> -----------
> None
> 
> 
> Advisory URL:
> -------------
> https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> SEC Consult Vulnerability Lab
> 
> SEC Consult
> Europe | Asia | North America
> 
> About SEC Consult Vulnerability Lab
> The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
> ensures the continued knowledge gain of SEC Consult in the field of network
> and application security to stay ahead of the attacker. The SEC Consult
> Vulnerability Lab supports high-quality penetration testing and the evaluation
> of new offensive and defensive technologies for our customers. Hence our
> customers obtain the most current information about vulnerabilities and valid
> recommendation about the risk profile of new technologies.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Interested to work with the experts of SEC Consult?
> Send us your application https://www.sec-consult.com/en/career/index.html
> 
> Interested in improving your cyber security with the experts of SEC Consult?
> Contact our local offices https://www.sec-consult.com/en/contact/index.html
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Mail: research at sec-consult dot com
> Web: https://www.sec-consult.com
> Blog: http://blog.sec-consult.com
> Twitter: https://twitter.com/sec_consult
> 
> EOF Stefan Viehböck / @2019
> 


["smime.p7s" (application/pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic