PSIRT Advisory

DUHK Attack against Fortinet Products

Summary

When devices use ANSI X9.31 RNG (which was removed from the list of FIPS-approved random number generation algorithms in January 2016) to generate cryptographic key under a static seed and under use with long-lived security tunnels like SSL/TLS/SSH/IPSec, such devices are vulnerable to the DUHK attack.

Impact

Allows unauthorized disclosure of information

Affected Products

For FortiOS:

FortiOS only affect 4.3.0 to 4.3.18 versions [1]:
* FortiOS 4.3.19 and 5.0.0 above are not affected
* FortiOS 4.2 and below versions are not affected

The following products are NOT affected [2]:

FortiAP
FortiSwitch
FortiAnalyzer

[1] FortiOS 4.3 used to implement the ANSI X9.31 RNG to decrypt TLS/IPSec traffic.
[2] Either X9.31 not been used or not meet the vulnerable conditions.

Solutions

For FortiOS upgrade to FortiOS 4.3.19, 5.0.0 or above [3].

[3] It is now superseded by the CTR_DRBG implementation as per the NIST SP800-90 recommendations since FortiOS 5.0.0 GA release.

Acknowledgement

Fortinet is pleased to thank Matthew D. Green of the Johns Hopkins University and Shaanan Cohney of University of Pennsylvania for reporting this vulnerability under responsible disclosure.