PSIRTThe ROBOT Attack - Return of Bleichenbacher's Oracle Threat
Summary
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key.
FortiOS are affected by the following two CVEs:
CVE-2018-9192: ROBOT vulnerability reported under SSL Deep Inspection when CPx being used
CVE-2018-9194: ROBOT attack under VIP SSL offloading when CPx being used
FortiOS for admin port 443 is NOT vulnerable to the ROBOT attack.
Affected Products
FortiOS
CVE-2018-9192:
5.2 branch: not vulnerable
5.4 branch: 5.4.6 to 5.4.9
5.6 branch: not vulnerable
6.0 branch: 6.0.0 to 6.0.1
CVE-2018-9194:
5.2 branch: not vulnerable
5.4 branch: 5.4.6 to 5.4.9
5.6 branch: not vulnerable
6.0 branch: 6.0.0 to 6.0.1
The following Fortinet products are NOT affected:
FortiSwitch
FortiAP
FortiAnalyzer
FortiMail
fortiManager
FortiWeb
Details:
CVE-2018-9192 - only when all of the conditions below are met:
1. The model supports content processor (CPx) and
KXP traffic acceleration is enabled (enabled is the default value)
2. SSL Deep Inspection UTM profile is used
CVE-2018-9194 - only when all of the conditions below are met:
1. The FortiGate model supports content processor (CPx) and
KXP traffic acceleration is enabled (enabled is the default value)
2. VIP SSL offloading is used [1]
[1] A typical VIP SSL offloading CLI config (only shows key CLI configs):
config firewall vip
edit [vip-name]
set type server-load-balance
set server-type https
next
end
config firewall policy
edit [policy-id]
set dstaddr [vip-name]
set utm-status enable
set ssl-ssh-profile [profile-name]
next
end
Solutions
Upgrade to FortiOS 6.0.2 and above in branch 6.0, or to 5.4.10 and above in branch 5.4 (FortiOS 5.2 and 5.6 branches not impacted).
Workarounds:
For CVE-2018-9192, only one workaround is available:
A working workaround consists in disabling KXP traffic acceleration:
config system global
set proxy-kxp-hardware-acceleration disable
end
For CVE-2018-9194, three types of workaround are available:
One workaround consists in disabling KXP traffic acceleration:
config system global
set proxy-kxp-hardware-acceleration disable
end
Also user can avoid such attack by disabling RSA ciphersuites in TLS protocol, by perform one of the following two CLI settings:
By ensure only using PFS (Perfect Forward Secrecy) ciphers:
config firewall vip
edit [vip-name]
set type server-load-balance
set server-type https
set ssl-pfs require (only using PFS ciphers)
next
end
By only specific custom ciphers without using RSA:
config firewall vip
edit [vip-name]
set type server-load-balance
set server-type https
config ssl-cipher-suites
edit
set cipher (ciphers not include TLS-RSA-xxx)
next
end
next
end
Edited on: 13-10-2022