PSIRT Advisory

Hardcoded cryptographic key in the FortiGuard services communication protocol

Summary

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard servers by decrypting these messages.

Impact

Information disclosure

Affected Products

All versions below FortiOS 6.2.0
All versions below FortiClientWindows 6.2.0
All versions below FortiClientMac 6.2.2

Solutions

Upgrade to FortiOS 6.2.0 then manually change the configuration to use TLS as communication protocol with FortiGuard servers after upgrade or do a fresh install to get the new default which is the TLS based system.
Upgrade to FortiClientWindows 6.2.0  or FortiClientMac 6.2.2 then change EMS configuration in the Endpoint Profile to use "FortiGuard Anycast". The new option is provided for Web Filter tab, as well as System Settings tab.

Acknowledgement

Fortinet is pleased to thank Stefan Viehböck - SEC Consult Vulnerability Lab for reporting this under responsible disclosure.