Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4387.3 Use of a hard-coded cryptographic key to cipher sensitive data in configuration backup files 1 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS FortiManager Publisher: FortiGuard Operating System: FortiOS Impact/Access: Access Privileged Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-9289 CVE-2019-6693 Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-007 Revision History: July 1 2020: Vendor updated affected products list June 12 2020: Additional CVE added November 20 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Use of a hard-coded cryptographic key to cipher sensitive data in CLI configuration IR Number : FG-IR-19-007 Date : Nov 19, 2019 Risk : 2/5 Impact : Information Disclosure CVE ID : CVE-2019-6693, CVE-2020-9289 CVE ID : CVE-2019-6693, CVE-2020-9289 CVE ID : CVE-2019-6693, CVE-2020-9289 Summary Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiOS, FortiManager and FortiAnalyzer may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key. Impact Information Disclosure Affected Products CVE-2019-6693: FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below (impacts all credential data of type "ENC" in FortiOS CLI configuration except the administrator's password) CVE-2020-9289: FortiManager 6.2.3 and below (impacts all credential data of type "ENC" in FortiManager CLI configuration) CVE-2020-9289: FortiAnalyzer 6.2.3 and below (impacts all credential data of type "ENC" in FortiAnalyzer CLI configuration) If the CLI configuration is exposed (typical example: Willingly posted on a forum for troubleshooting purpose), it is possible to decrypt the encrypted ENC type data to plaintext using this hard-coded cryptographic key. Same goes for the system backup file, if it is not password protected. Solutions FortiOS: In versions 5.6.11, 6.0.7 and 6.2.1 and above, administrators can choose to be prompted for a password, which is then used by FortiOS to encrypt sensitive data in the configuration file. The following steps enable this option: # config system global # set private-data-encryption enable /* disabled by default */ # end FortiManager: Upgrade to FortiManager 6.2.4 or above and enable the following newly introduced CLI setting, to prompt for a user-defined cryptographic key; the user-defined key will then be used to cipher ENC type data in the configuration: # configure system global #set private-data-encryption enable /* disabled by default */ #end FortiAnalyzer: Upgrade to FortiAnalyzer 6.2.4 or above and enable the following newly introduced CLI setting, to prompt for a user-defined cryptographic key; the user-defined key will then be used to cipher ENC type data in the configuration: # configure system global #set private-data-encryption enable /* disabled by default */ #end Workaround: * Always use a password to protect the system configuration file when performing backups * The impacted ENC type data in CLI configuration, if exposed, should currently be considered "easy to decrypt" by potential attackers. Thus, avoid exposure of configuration in unsafe and/or public channels (forums, etc...) Revision History: 11-19-2019 Initial Version 06-11-2020 Add FortiManager CVE-2020-9289 06-30-2020 Add FortiAnalyzer CVE-2020-9289 Acknowledgement Fortinet is pleased to thank Bart Dopheide (bart.dopheide@axians.com) for report CVE-2019-6693, Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for report CVE-2019-6693 and CVE-2020-9289 under responsible disclosure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvu+a+NLKJtyKPYoAQhhCg/9GFD+W3YDwJbq1OvqFdXGFDPbmUJSVMVo 4KJsDd5ypIvO4+oebTB70FWIwSyGKBKANqKlUWedkCFbRSi5lg7wQKhkNuVvb8ST U+HRYwxuDSSaL02OeWMpXO0NVy7XxRHNft6HSpN2mmMD1BjRhP4xR0nJiw5ZbhH/ YgDS4sa+hLVKVqS72cqDeUBZLPzW0R7YOyW2aF/CaIuByRXRBgwps+fz/mxiYZLN R/vy0Quu/jb8L9jELwmJ2z3MuTlVFAr7U8ioEsgwc/6StqX40RzoQkwKPzz2lFS2 N30ZmLOhZdr2ukcO+zUBiqdASOet+x96xuYQSHRRIwb/Fep4unR/zSc39olgyLh5 ckoJm/UOEWHfs9udJ9IIqtcmwXllcCLWChU/JtmkAgQzbWqMzIF4U1w3mUBwvIkv zNuN95Qh+lUJDXD8A7K+tjGeG19JS5Z92wd7Nyq8sz7Q3EaNEmA8KL0K6PXYkD7l 4c3uDg18r+Z0enAPR6nPyhG8aPCtTeDOJ8nk8MGnknGNZnhiQMIuY0VQsF9fkLTy PcV+v1DemK1ywhRVusNL3P7i6H5tdGDrtav9K/wkM7uaLfYuFG4bQxA81KSs9tM0 nRPUSyVAt4e7tL7hotEL1Npg9/5ydtAkcazYhoCVJZqatKLz7b9UgdNMqcdsLK3C 64lfJek7rJk= =PD7r -----END PGP SIGNATURE-----