Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1062
Fortigate UTM appliances share the same default CA certificate
7 November 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Fortigate UTM appliances
Publisher: US-CERT
Operating System: Network Appliance
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2012-4948 CVE-2012-3372
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#111708
Fortigate UTM appliances share the same default CA certificate
Original Release date: 02 Nov 2012 | Last revised: 02 Nov 2012
Overview
Fortigate UTM appliances that support SSL/TLS deep packet inspection share the
same self-signed Fortigate CA certificate and associated private key across all
devices. The private key, which has been compromised, allows attackers to
create and sign fake certificates.
Description
Fortigate UTM appliances share the same self-signed Fortigate CA certificate.
Companies that use these appliances for deep packet inspection will have most
likely deployed the CA certificate to endpoint web browsers so certificate
warnings will not be seen by an end-user. Since the associated private key has
been compromised (published on the web), an attacker with a man-in-the-middle
vantage point on the network will be able to simulate the behavior of the
Fortigate appliance and eavesdrop on encrypted communications or spoof
websites. Also, the attacker may digitally sign malicious software, spoofing
the identity of the publisher.
Impact
Primarily at risk are users who have imported the compromised Fortigate CA
certificate into their web browser or operating system. This risk applies
equally within the company (connected to a network behind the Fortigate UTM
appliance) as anywhere else. An attacker with a man-in-the-middle vantage point
on the current network may be able to eavesdrop on encrypted communications.
In addition, an attacker may falsify digital signatures such as Authenticode.
Solution
Install a new CA certificate
The vendor recommends the following steps be taken to address this
vulnerability.
Admin creates/obtains a CA certificate for which only they have the private
key.
Admin installs the CA certificate on FortiGate.
Admin uses "set caname xxx" to select that certificate for SSL deep
inspection.
Disable the Fortigate CA certificate
Endpoints should not trust the self-signed Fortigate CA certificate. The
following certificate information is for the certificate that should be
distrusted:
Subject: "E = support@fortinet.com; CN = FortiGate CA; OU = Certificate
Authority; O = Fortinet; L = Sunnyvale; S = California; C = US";
Thumbprint: 3e 20 7f 9a 6b d9 5c 7c 2b 89 11 67 d3 2f 57 87 2f 76 60 14
The preferrable way to distrust a CA certificate is to import it to the
"Untrusted certificates" branch of the system certificate store. To continue
the use of SSL/TLS deep packet inspection, a new, unique, CA certificate may
be generated and imported into the Fortigate UTM appliance. To prevent users
from experiencing certificate errors, that new CA certificate can be imported
into web browsers. Chapter 6 of the FortiOS handbook contains instructions on
how to replace the default CA certificate.
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
Fortinet, Inc. Affected 07 Sep 2012 30 Oct 2012
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group Score Vector
Base 4.6 AV:A/AC:H/Au:N/C:C/I:N/A:N
Temporal 3.7 E:F/RL:W/RC:UC
Environmental 3.7 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
References
http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=misc_utm_chapter.61.13.html
http://kb.fortinet.com/kb/viewContent.do?externalId=FD32404
http://www.fortinet.com/solutions/unified_threat_management.html
https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt
http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/js/html/wwhelp.htm
Credit
Thanks to Bitwiper for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
CVE IDs: CVE-2012-4948
Date Public: 22 Oct 2012
Date First Published: 02 Nov 2012
Date Last Updated: 02 Nov 2012
Document Revision: 19
Feedback
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUJn8D+4yVqjM2NGpAQKRcw//VVLDS1J6WLVceUkCy2lpNK14NGAULfgY
EqjpW3H//cUqgjRPma/Pw8a9f0erlr5LSD8p9x30LLQ5VqMOuoKE9BcwNh6/kC4d
sXWxgZS3sgRURaAKJtYaI7xCawYt4HQmtR9x5LtrFrp147NUqRlm7dcSSey0cW6V
pC3gTJIO5tI6/+iBicBV8A+IKWzwcvJ52PCC6SzLYPZNnQ31J9uXSc1vUeil9+Op
UVv95Gx8PWsLd29cHsVaADELU/FD2hVS1khaVOC9bbhd1dL/PAdmyh4JSiPwnJh7
con7dsvgdhENHDhBdN5qtVsQ1tIKQ2a7Jwg67+fwVxHzvoJDFIdi00inD6/wuJE6
X4IHwzPuk5SNhozZCDbOjw4B+2KSO4ThK6k13/12rJk6fospiEigiLNjsEetkFVp
bQRR5UoTlg85Eewt3j8TGyxeoP5oGBiIDV5VNbK9Pbhms3nrxYSzxfAabjO2TbLE
EycexuB7pKS2spQNw2WJwKdVS1lt6DPb+I6cgVdzGcvDUavhPlfNydWF/hoK674r
nBYCU5ITiOgtnySq0EIDm+0v+y0oWBT5wdkp0PyCbSdD0frNWAEG7/sY8dc4N77B
hpqNXBt8/Pf+GKXtGds+zcNR7GTuXSGVdScTc+0OzXBzkrspUFs0lCEm8RzdFZrG
I/Lo1TK4ipE=
=ehBR
-----END PGP SIGNATURE-----