-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
FortiOS DRBG unsufficient entropy
14 February 2020
AusCERT Security Bulletin Summary
Operating System: Virtualisation
Impact/Access: Access Privileged Data -- Console/Physical
Resolution: Alternate Program
CVE Names: CVE-2019-15703
Revision History: February 14 2020: Reseeding improvement information has been
October 21 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
FortiOS DRBG insufficient entropy
IR Number : FG-IR-19-186
Date : Oct 18, 2019
Risk : 2/5
Impact : Insufficient Entropy
CVE ID : CVE-2019-15703
CVE ID : CVE-2019-15703
FortiGate models which do not contain and embedded TRNG may suffer from
insufficient entropy ("seed") in the CTR DRBG random data software generator,
in their default configuration.
Insufficient randomness of the software source used to seed FortiOS' random
number generator enables theoretical and experimental attacks. When FortiOS
acts as a TLS client with an RSA handshake and mutual ECDSA authentication, it
may be possible to recover the long term ECDSA secret via the help of
flush+reload side channel attacks, henceforth breaking the TLS connection's
The impact tremendously differs between FortiOS running on FortiGate hardware
and VM FortiOS.
The attack is only feasible within certain circumstances, on VM FortiOS
instances, and only if the attacker is able to successfully execute a
flush-reload side channel attack on the VM's host system. Furthermore, the
attacker must be able to have FortiOS' TLS client connect to an
attacker-controlled malicious TLS server repeatedly (which would require a
previously successful different attack).
* All FortiOS models support Araneus USB TRNG hardware tokens, starting from
FortiOS 5.0.10. The tokens are used as a hardware entropy source to seed
FortiOS' DRBG, effectively solving the issue.
* The following models have a built-in hardware entropy source to seed the
FortiGate E/F models using ASIC CP9 starting from FortiOS 5.6.1 and 6.0.0
FortiGate E models using ASIC SOC3 starting from FortiOS 5.6.6, 6.0.2 and 6.2.0
FortiGate F models using ASIC SOC4
NOTE: to check for the presence of CP9 or SOC3 ASIC chips, use the following
# get hardware status
Model name: FortiGate-xxx
ASIC version: SOC3 or CP9
* FortiOS Intel CPU based models support Intel's rdseed instruction as a
hardware entropy source for the DRBG, starting from FortiOS 6.2.2.
NOTE: To check for rdseed support, use the following CLI command:
#fnsysctl cat /proc/cpuinfo
flags : rdseed
* FortiOS VM instances are able to use the Intel's rdseed instruction of the
VM's host, IF the host supports it AND exposes it to the VMs (this is the case
as of this writing for hosts of AWS C5 and GCP)
* FortiOS VM instances also support the Araneus USB TRNG solution.
Starting from FortiOS 6.0.9 and 6.2.3, FortiGates working in normal mode (as in
"not in FIPS mode") support entropy source reseeding periodically. This
improvement mitigates another potential risk vector, ie. "the FortiOS CTR DRBG
implementation ... has no explicit reseeding" risk disclosed in the referenced
Host FortiOS VM instances on dedicated VM host to avoid side channel attacks.
2019-10-18: Initial version.
2020-02-13: Add reseeding improvement info.
Fortinet is pleased to thank Shaanan Cohney of the University of Pennsylvania
for reporting this vulnerability under responsible disclosure.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----