Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3915.2 FortiOS DRBG unsufficient entropy 14 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Publisher: Fortinet Operating System: Virtualisation Impact/Access: Access Privileged Data -- Console/Physical Resolution: Alternate Program CVE Names: CVE-2019-15703 Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-186 Revision History: February 14 2020: Reseeding improvement information has been added. October 21 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- FortiOS DRBG insufficient entropy IR Number : FG-IR-19-186 Date : Oct 18, 2019 Risk : 2/5 Impact : Insufficient Entropy CVE ID : CVE-2019-15703 CVE ID : CVE-2019-15703 Summary FortiGate models which do not contain and embedded TRNG may suffer from insufficient entropy ("seed") in the CTR DRBG random data software generator, in their default configuration. Insufficient randomness of the software source used to seed FortiOS' random number generator enables theoretical and experimental attacks. When FortiOS acts as a TLS client with an RSA handshake and mutual ECDSA authentication, it may be possible to recover the long term ECDSA secret via the help of flush+reload side channel attacks, henceforth breaking the TLS connection's confidentiality. Impact Insufficient Entropy Affected Products The impact tremendously differs between FortiOS running on FortiGate hardware and VM FortiOS. The attack is only feasible within certain circumstances, on VM FortiOS instances, and only if the attacker is able to successfully execute a flush-reload side channel attack on the VM's host system. Furthermore, the attacker must be able to have FortiOS' TLS client connect to an attacker-controlled malicious TLS server repeatedly (which would require a previously successful different attack). Solutions * All FortiOS models support Araneus USB TRNG hardware tokens, starting from FortiOS 5.0.10. The tokens are used as a hardware entropy source to seed FortiOS' DRBG, effectively solving the issue. * The following models have a built-in hardware entropy source to seed the DRBG: FortiGate E/F models using ASIC CP9 starting from FortiOS 5.6.1 and 6.0.0 FortiGate E models using ASIC SOC3 starting from FortiOS 5.6.6, 6.0.2 and 6.2.0 FortiGate F models using ASIC SOC4 NOTE: to check for the presence of CP9 or SOC3 ASIC chips, use the following CLI command: # get hardware status Model name: FortiGate-xxx ASIC version: SOC3 or CP9 * FortiOS Intel CPU based models support Intel's rdseed instruction as a hardware entropy source for the DRBG, starting from FortiOS 6.2.2. NOTE: To check for rdseed support, use the following CLI command: #fnsysctl cat /proc/cpuinfo flags : rdseed * FortiOS VM instances are able to use the Intel's rdseed instruction of the VM's host, IF the host supports it AND exposes it to the VMs (this is the case as of this writing for hosts of AWS C5 and GCP) * FortiOS VM instances also support the Araneus USB TRNG solution. Reseeding Improvement: Starting from FortiOS 6.0.9 and 6.2.3, FortiGates working in normal mode (as in "not in FIPS mode") support entropy source reseeding periodically. This improvement mitigates another potential risk vector, ie. "the FortiOS CTR DRBG implementation ... has no explicit reseeding" risk disclosed in the referenced paper. Workarounds: Host FortiOS VM instances on dedicated VM host to avoid side channel attacks. Revision History: 2019-10-18: Initial version. 2020-02-13: Add reseeding improvement info. Acknowledgement Fortinet is pleased to thank Shaanan Cohney of the University of Pennsylvania for reporting this vulnerability under responsible disclosure. References o https://security.cohney.info/blackswans/ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXkXpmmaOgq3Tt24GAQjm8RAAsKgzZdxnuywndVUBB5LCzTSx4GUMZ8E/ Sc+8jtlt9pHl8JI6hxYHq5xxNuLUn7A2FUXXDQSxjkLtnWifJZo7OaWjcCDMrOmy 0yc5jbF5Pr3NaUR98bb2afrd7bwcIxGm4V/iDyqa++KYjUOOXo0qLSjD8knhFyMk z+zh51g/qTYDnR/5BhRVIhfUDzOWT38HS8cs61uOD5Q6jCoyXnaYNqxxEbdViK4r r4dCkEwQpPnxD2o5b+0EmSJqx6afesdG7kCNipiLpw1o7pi1TC39MU/L6k0VA3LG U+O7DlZveMXWBdufFBtGy0ItVO8/oHg6CFuFaziRuB/M3BgYeJUeSFbCa2+o09t0 c/VHGJPD3pP9Tzbv2I9LBQIKYuCEsoVsNPxPgYtXsoiSy+s0ShR27SMiPPb9Nefg KrwGNaqQPpeJ/PZXQ5MeaAQvCp/mhK155ep1+m5gds6fE921/anB3hK9WHlx6oMF +c7n50SOXKTTg6xLAZYLRIMuJlk6YGHLVKSSNBn+uY7/CeSuUVgVW1KTKfe5o9Hf KbBQTXq0uMh3yZEC+qRJhQIsXQrCKr2vOwabRCAyuJHgO7nr07LDGXcmFKVUk2M/ OC380OcvOiX04kO6yAzQptQYU4hU/h7L/pTM4uGTdFcdwoIK8hXawELaRRo40WQn GH+Rme6QEAk= =Kew6 -----END PGP SIGNATURE-----