Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1062 Fortigate UTM appliances share the same default CA certificate 7 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Fortigate UTM appliances Publisher: US-CERT Operating System: Network Appliance Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2012-4948 CVE-2012-3372 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#111708 Fortigate UTM appliances share the same default CA certificate Original Release date: 02 Nov 2012 | Last revised: 02 Nov 2012 Overview Fortigate UTM appliances that support SSL/TLS deep packet inspection share the same self-signed Fortigate CA certificate and associated private key across all devices. The private key, which has been compromised, allows attackers to create and sign fake certificates. Description Fortigate UTM appliances share the same self-signed Fortigate CA certificate. Companies that use these appliances for deep packet inspection will have most likely deployed the CA certificate to endpoint web browsers so certificate warnings will not be seen by an end-user. Since the associated private key has been compromised (published on the web), an attacker with a man-in-the-middle vantage point on the network will be able to simulate the behavior of the Fortigate appliance and eavesdrop on encrypted communications or spoof websites. Also, the attacker may digitally sign malicious software, spoofing the identity of the publisher. Impact Primarily at risk are users who have imported the compromised Fortigate CA certificate into their web browser or operating system. This risk applies equally within the company (connected to a network behind the Fortigate UTM appliance) as anywhere else. An attacker with a man-in-the-middle vantage point on the current network may be able to eavesdrop on encrypted communications. In addition, an attacker may falsify digital signatures such as Authenticode. Solution Install a new CA certificate The vendor recommends the following steps be taken to address this vulnerability. Admin creates/obtains a CA certificate for which only they have the private key. Admin installs the CA certificate on FortiGate. Admin uses "set caname xxx" to select that certificate for SSL deep inspection. Disable the Fortigate CA certificate Endpoints should not trust the self-signed Fortigate CA certificate. The following certificate information is for the certificate that should be distrusted: Subject: "E = support@fortinet.com; CN = FortiGate CA; OU = Certificate Authority; O = Fortinet; L = Sunnyvale; S = California; C = US"; Thumbprint: 3e 20 7f 9a 6b d9 5c 7c 2b 89 11 67 d3 2f 57 87 2f 76 60 14 The preferrable way to distrust a CA certificate is to import it to the "Untrusted certificates" branch of the system certificate store. To continue the use of SSL/TLS deep packet inspection, a new, unique, CA certificate may be generated and imported into the Fortigate UTM appliance. To prevent users from experiencing certificate errors, that new CA certificate can be imported into web browsers. Chapter 6 of the FortiOS handbook contains instructions on how to replace the default CA certificate. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Fortinet, Inc. Affected 07 Sep 2012 30 Oct 2012 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 4.6 AV:A/AC:H/Au:N/C:C/I:N/A:N Temporal 3.7 E:F/RL:W/RC:UC Environmental 3.7 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND References http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=misc_utm_chapter.61.13.html http://kb.fortinet.com/kb/viewContent.do?externalId=FD32404 http://www.fortinet.com/solutions/unified_threat_management.html https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/js/html/wwhelp.htm Credit Thanks to Bitwiper for reporting this vulnerability. This document was written by Jared Allar. Other Information CVE IDs: CVE-2012-4948 Date Public: 22 Oct 2012 Date First Published: 02 Nov 2012 Date Last Updated: 02 Nov 2012 Document Revision: 19 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUJn8D+4yVqjM2NGpAQKRcw//VVLDS1J6WLVceUkCy2lpNK14NGAULfgY EqjpW3H//cUqgjRPma/Pw8a9f0erlr5LSD8p9x30LLQ5VqMOuoKE9BcwNh6/kC4d sXWxgZS3sgRURaAKJtYaI7xCawYt4HQmtR9x5LtrFrp147NUqRlm7dcSSey0cW6V pC3gTJIO5tI6/+iBicBV8A+IKWzwcvJ52PCC6SzLYPZNnQ31J9uXSc1vUeil9+Op UVv95Gx8PWsLd29cHsVaADELU/FD2hVS1khaVOC9bbhd1dL/PAdmyh4JSiPwnJh7 con7dsvgdhENHDhBdN5qtVsQ1tIKQ2a7Jwg67+fwVxHzvoJDFIdi00inD6/wuJE6 X4IHwzPuk5SNhozZCDbOjw4B+2KSO4ThK6k13/12rJk6fospiEigiLNjsEetkFVp bQRR5UoTlg85Eewt3j8TGyxeoP5oGBiIDV5VNbK9Pbhms3nrxYSzxfAabjO2TbLE EycexuB7pKS2spQNw2WJwKdVS1lt6DPb+I6cgVdzGcvDUavhPlfNydWF/hoK674r nBYCU5ITiOgtnySq0EIDm+0v+y0oWBT5wdkp0PyCbSdD0frNWAEG7/sY8dc4N77B hpqNXBt8/Pf+GKXtGds+zcNR7GTuXSGVdScTc+0OzXBzkrspUFs0lCEm8RzdFZrG I/Lo1TK4ipE= =ehBR -----END PGP SIGNATURE-----