PSIRT Advisory

Use of a hard-coded cryptographic key to cipher sensitive data in configuration backup files

Summary

Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key.


The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).

Impact

Information Disclosure

Affected Products

5.6.10 and below

6.0.6 and below 

6.2.0

Solutions

In versions 5.6.11, 6.0.7 and 6.2.1 and above, admins can choose to be prompted for a password, which is then used by FortiOS to encrypt sensitive data in the configuration file. The following steps enable this option:


#config system global

# set private-data-encryption enable

# end 


Please type your private  data encryption key (32 hexadecimal numbers): 

Please re-enter your private data encryption key (32 hexadecimal numbers) again: 


This CLI option is disabled by default.

Acknowledgement

Fortinet is very pleased to thank Bart Dopheide (bart.dopheide@axians.com) as well as Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev  for reporting this vulnerability under responsible disclosure and for helping us make our products more secure.