Fortigate: Exporting a local certificate with private key

Summary

Improper permission or value checking in the CLI console may allow a non-privileged user to obtain plaint text private keys of system's builtin local certificates via unsetting the keys encryption password or for user uploaded local certificates via setting an empty password. Note that backed up config files can be restored onto a version of FortiOS or FortiProxy vulnerable to this, in order to obtain the plaintext versions of local certificates private keys encrypted in those config files.

Affected Products

For system builtin local certificates via unsetting password:
FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below
For user uploaded local certificates via setting an empty password:
FortiOS 6.2.1, 6.2.0, 6.0.6 and below.

FortiProxy version 2.0.0 through 2.0.4
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions

Solutions

For system builtin local certificates via password unset: Upgrade to FortiOS 5.6.11, 6.0.7 or 6.2.1 and above For user uploaded local certificates via setting empty password: Upgrade to FortiOS 6.0.7 or 6.2.2 and above.
Please upgrade to FortiProxy version 7.0.0 or above,
Please upgrade to FortiProxy version 2.0.5 or above.
[Workarounds] Always encrypt your FortiGate and FortiProxy configuration during backup and ensure to store or transfer your FortiGate or FortiProxy configuration through secure channels. Avoid disclosing your FortiGate or FortiProxy config snippet containing the following parts: config vpn certificate local edit [cert-name] set password ENC xxx set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- ..." next end