Operating System:

[Fortinet]

Published:

01 July 2020

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.4387.3 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.4387.3
         Use of a hard-coded cryptographic key to cipher sensitive
                    data in configuration backup files
                                1 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiOS
                   FortiManager
Publisher:         FortiGuard
Operating System:  FortiOS
Impact/Access:     Access Privileged Data -- Existing Account
                   Reduced Security       -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9289 CVE-2019-6693 

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-19-007

Revision History:  July      1 2020: Vendor updated affected products list
                   June     12 2020: Additional CVE added
                   November 20 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Use of a hard-coded cryptographic key to cipher sensitive data in CLI configuration

IR Number : FG-IR-19-007

Date      : Nov 19, 2019

Risk      : 2/5

Impact    : Information Disclosure

CVE ID    : CVE-2019-6693, CVE-2020-9289

CVE ID    : CVE-2019-6693, CVE-2020-9289

CVE ID    : CVE-2019-6693, CVE-2020-9289

Summary

Use of a hard-coded cryptographic key to encrypt password data in CLI
configuration in FortiOS, FortiManager and FortiAnalyzer may allow an attacker
with access to the CLI configuration or the CLI backup file to decrypt the
sensitive data, via knowledge of the hard-coded key.

Impact

Information Disclosure

Affected Products

CVE-2019-6693: FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below

(impacts all credential data of type "ENC" in FortiOS CLI configuration except
the administrator's password)


CVE-2020-9289: FortiManager 6.2.3 and below

(impacts all credential data of type "ENC" in FortiManager CLI configuration)


CVE-2020-9289: FortiAnalyzer 6.2.3 and below

(impacts all credential data of type "ENC" in FortiAnalyzer CLI configuration)


If the CLI configuration is exposed (typical example: Willingly posted on a
forum for troubleshooting purpose), it is possible to decrypt the encrypted ENC
type data to plaintext using this hard-coded cryptographic key. Same goes for
the system backup file, if it is not password protected.

Solutions

FortiOS:


In versions 5.6.11, 6.0.7 and 6.2.1 and above, administrators can choose to be
prompted for a password, which is then used by FortiOS to encrypt sensitive
data in the configuration file. The following steps enable this option:


# config system global
# set private-data-encryption enable /* disabled by default */
# end


FortiManager:


Upgrade to FortiManager 6.2.4 or above and enable the following newly
introduced CLI setting, to prompt for a user-defined cryptographic key; the
user-defined key will then be used to cipher ENC type data in the
configuration:


# configure system global
#set private-data-encryption enable /* disabled by default */
#end


FortiAnalyzer:


Upgrade to FortiAnalyzer 6.2.4 or above and enable the following newly
introduced CLI setting, to prompt for a user-defined cryptographic key; the
user-defined key will then be used to cipher ENC type data in the
configuration:


# configure system global
#set private-data-encryption enable /* disabled by default */
#end


Workaround:


* Always use a password to protect the system configuration file when
performing backups

* The impacted ENC type data in CLI configuration, if exposed, should currently
be considered "easy to decrypt" by potential attackers. Thus, avoid exposure of
configuration in unsafe and/or public channels (forums, etc...)


Revision History:
11-19-2019 Initial Version
06-11-2020 Add FortiManager CVE-2020-9289
06-30-2020 Add FortiAnalyzer CVE-2020-9289

Acknowledgement

Fortinet is pleased to thank Bart Dopheide (bart.dopheide@axians.com) for
report CVE-2019-6693, Independent research team Denis Kolegov, Maxim Gorbunov,
Nikita Oleksov and Anton Nikolaev for report CVE-2019-6693 and CVE-2020-9289
under responsible disclosure.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXvu+a+NLKJtyKPYoAQhhCg/9GFD+W3YDwJbq1OvqFdXGFDPbmUJSVMVo
4KJsDd5ypIvO4+oebTB70FWIwSyGKBKANqKlUWedkCFbRSi5lg7wQKhkNuVvb8ST
U+HRYwxuDSSaL02OeWMpXO0NVy7XxRHNft6HSpN2mmMD1BjRhP4xR0nJiw5ZbhH/
YgDS4sa+hLVKVqS72cqDeUBZLPzW0R7YOyW2aF/CaIuByRXRBgwps+fz/mxiYZLN
R/vy0Quu/jb8L9jELwmJ2z3MuTlVFAr7U8ioEsgwc/6StqX40RzoQkwKPzz2lFS2
N30ZmLOhZdr2ukcO+zUBiqdASOet+x96xuYQSHRRIwb/Fep4unR/zSc39olgyLh5
ckoJm/UOEWHfs9udJ9IIqtcmwXllcCLWChU/JtmkAgQzbWqMzIF4U1w3mUBwvIkv
zNuN95Qh+lUJDXD8A7K+tjGeG19JS5Z92wd7Nyq8sz7Q3EaNEmA8KL0K6PXYkD7l
4c3uDg18r+Z0enAPR6nPyhG8aPCtTeDOJ8nk8MGnknGNZnhiQMIuY0VQsF9fkLTy
PcV+v1DemK1ywhRVusNL3P7i6H5tdGDrtav9K/wkM7uaLfYuFG4bQxA81KSs9tM0
nRPUSyVAt4e7tL7hotEL1Npg9/5ydtAkcazYhoCVJZqatKLz7b9UgdNMqcdsLK3C
64lfJek7rJk=
=PD7r
-----END PGP SIGNATURE-----