Hardcoded SSLVPN cookie encryption key

Summary

A use of hard-coded cryptographic key vulnerability [CWE 321] in FortiOS SSLVPN may allow an attacker to retrieve the key by reverse engineering.

Affected Products

FortiOS 6.4.5 and below.
FortiOS 6.2.8 and below.
FortiOS 6.0.12 and below.
FortiOS 5.6.13 and below.

Solutions

Upgrade to FortiOS 7.0.0 or above.
Upgrade to FortiOS 6.4.6 or above.
Upgrade to FortiOS 6.2.10 or above.
Upgrade to FortiOS 6.0.13 or above.
Upgrade to FortiOS 5.6.14 or above.
For new high-end F-Series Models (FG-1800F, FG-3800F, FG-4200F, FG-4400F) please upgrade to 6.2.9

Timeline

2021-12-07: Initial publication