PSIRT Advisory

Hardcoded cryptographic key in the FortiGuard services communication protocol


Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard servers by decrypting these messages.


Information disclosure

Affected Products

All versions below FortiOS 6.2.0
All versions below FortiClientWindows 6.2.0
All versions below FortiClientMac 6.2.2


Upgrade to FortiOS 6.2.0 then manually change the configuration to use TLS as communication protocol with FortiGuard servers after upgrade or do a fresh install to get the new default which is the TLS based system.
Upgrade to FortiClientWindows 6.2.0  or FortiClientMac 6.2.2 then change EMS configuration in the Endpoint Profile to use "FortiGuard Anycast". The new option is provided for Web Filter tab, as well as System Settings tab.


Fortinet is pleased to thank Stefan Viehböck - SEC Consult Vulnerability Lab for reporting this under responsible disclosure.