PSIRT Advisory

FortiOS DRBG unsufficient entropy

Summary

Part of FortiOS models by default suffer from insufficient entropy ("seed") in CTR DRBG random data software generator.


Unsufficient randomness of the software source used to seed FortiOS' random number generator enables theoretical and experimental attacks. When FortiOS acts as a TLS client with an RSA handshake and mutual ECDSA authentication, it may be possible to recover the long term ECDSA secret via the help of flush+reload side channel attacks, henceforth breaking the TLS connection's confidentiality.

Impact

Insufficient Entropy

Affected Products

The impact tremendously differs between FortiOS running on FortiGate hardware and VM FortiOS. 


The attack is only feasible on VM FortiOS instances, if the attacker is successfully able to execute a flush-reload side channel attack on the VM's host system. Furthermore, the attacker must be able to have FortiOS' TLS client connect to an attacker-controlled malicious TLS server repeatedly (which would require a previously successful different attack).

Solutions

* All FortiOS models support Araneus USB TRNG hardware tokens, starting from FortiOS 5.0.10. The tokens are used as a hardware entropy source to seed FortiOS' DRBG, effectively solving the issue.


* The following models have a built-in hardware entropy source to seed the DRBG:

FortiGate E models using ASIC CP9  starting from FortiOS 5.6.1 and 6.0.0

FortiGate E models using ASIC SOC3 starting from FortiOS 5.6.6, 6.0.2 and 6.2.0

NOTE: to check for the presence of CP9 or SOC3 ASIC chips, use the following CLI command:

# get hardware status

Model name: FortiGate-xxx

ASIC version: SOC3 or CP9


* FortiOS Intel CPU based models support Intel's rdseed instruction as a hardware entropy source for the DRBG, starting from FortiOS 6.2.2.

NOTE: To check for rdseed support, use the following CLI command:

#fnsysctl cat /proc/cpuinfo

flags : rdseed


* FortiOS VM instances are able to use the Intel's rdseed instruction of the VM's host, IF the host supports it AND exposes it to the VMs (this is the case as of this writing for hosts of AWS C5 and GCP)


* FortiOS VM instances also support the Araneus USB TRNG solution.


Workarounds:


Host FortiOS VM instances on dedicated VM host to avoid side channel attacks.

Acknowledgement

Fortinet is pleased to thank Shaanan Cohney of the University of Pennsylvania for reporting this vulnerability under responsible disclosure.