Operating System:

[Virtual]

Published:

14 February 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.3915.2
                     FortiOS DRBG unsufficient entropy
                             14 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiOS
Publisher:         Fortinet
Operating System:  Virtualisation
Impact/Access:     Access Privileged Data -- Console/Physical
Resolution:        Alternate Program
CVE Names:         CVE-2019-15703  

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-19-186

Revision History:  February 14 2020: Reseeding improvement information has been 
                                     added.
                   October  21 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiOS DRBG insufficient entropy

IR Number : FG-IR-19-186

Date      : Oct 18, 2019

Risk      : 2/5

Impact    : Insufficient Entropy

CVE ID    : CVE-2019-15703

CVE ID    : CVE-2019-15703

Summary

FortiGate models which do not contain and embedded TRNG may suffer from
insufficient entropy ("seed") in the CTR DRBG random data software generator,
in their default configuration.


Insufficient randomness of the software source used to seed FortiOS' random
number generator enables theoretical and experimental attacks. When FortiOS
acts as a TLS client with an RSA handshake and mutual ECDSA authentication, it
may be possible to recover the long term ECDSA secret via the help of
flush+reload side channel attacks, henceforth breaking the TLS connection's
confidentiality.

Impact

Insufficient Entropy

Affected Products

The impact tremendously differs between FortiOS running on FortiGate hardware
and VM FortiOS.


The attack is only feasible within certain circumstances, on VM FortiOS
instances, and only if the attacker is able to successfully execute a
flush-reload side channel attack on the VM's host system. Furthermore, the
attacker must be able to have FortiOS' TLS client connect to an
attacker-controlled malicious TLS server repeatedly (which would require a
previously successful different attack).

Solutions

* All FortiOS models support Araneus USB TRNG hardware tokens, starting from
FortiOS 5.0.10. The tokens are used as a hardware entropy source to seed
FortiOS' DRBG, effectively solving the issue.


* The following models have a built-in hardware entropy source to seed the
DRBG:

FortiGate E/F models using ASIC CP9 starting from FortiOS 5.6.1 and 6.0.0

FortiGate E models using ASIC SOC3 starting from FortiOS 5.6.6, 6.0.2 and 6.2.0

FortiGate F models using ASIC SOC4


NOTE: to check for the presence of CP9 or SOC3 ASIC chips, use the following
CLI command:

# get hardware status
Model name: FortiGate-xxx
ASIC version: SOC3 or CP9


* FortiOS Intel CPU based models support Intel's rdseed instruction as a
hardware entropy source for the DRBG, starting from FortiOS 6.2.2.

NOTE: To check for rdseed support, use the following CLI command:

#fnsysctl cat /proc/cpuinfo
flags : rdseed


* FortiOS VM instances are able to use the Intel's rdseed instruction of the
VM's host, IF the host supports it AND exposes it to the VMs (this is the case
as of this writing for hosts of AWS C5 and GCP)


* FortiOS VM instances also support the Araneus USB TRNG solution.


Reseeding Improvement:


Starting from FortiOS 6.0.9 and 6.2.3, FortiGates working in normal mode (as in
"not in FIPS mode") support entropy source reseeding periodically. This
improvement mitigates another potential risk vector, ie. "the FortiOS CTR DRBG
implementation ... has no explicit reseeding" risk disclosed in the referenced
paper.


Workarounds:


Host FortiOS VM instances on dedicated VM host to avoid side channel attacks.


Revision History:

2019-10-18: Initial version.
2020-02-13: Add reseeding improvement info.

Acknowledgement

Fortinet is pleased to thank Shaanan Cohney of the University of Pennsylvania
for reporting this vulnerability under responsible disclosure.

References

  o https://security.cohney.info/blackswans/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXkXpmmaOgq3Tt24GAQjm8RAAsKgzZdxnuywndVUBB5LCzTSx4GUMZ8E/
Sc+8jtlt9pHl8JI6hxYHq5xxNuLUn7A2FUXXDQSxjkLtnWifJZo7OaWjcCDMrOmy
0yc5jbF5Pr3NaUR98bb2afrd7bwcIxGm4V/iDyqa++KYjUOOXo0qLSjD8knhFyMk
z+zh51g/qTYDnR/5BhRVIhfUDzOWT38HS8cs61uOD5Q6jCoyXnaYNqxxEbdViK4r
r4dCkEwQpPnxD2o5b+0EmSJqx6afesdG7kCNipiLpw1o7pi1TC39MU/L6k0VA3LG
U+O7DlZveMXWBdufFBtGy0ItVO8/oHg6CFuFaziRuB/M3BgYeJUeSFbCa2+o09t0
c/VHGJPD3pP9Tzbv2I9LBQIKYuCEsoVsNPxPgYtXsoiSy+s0ShR27SMiPPb9Nefg
KrwGNaqQPpeJ/PZXQ5MeaAQvCp/mhK155ep1+m5gds6fE921/anB3hK9WHlx6oMF
+c7n50SOXKTTg6xLAZYLRIMuJlk6YGHLVKSSNBn+uY7/CeSuUVgVW1KTKfe5o9Hf
KbBQTXq0uMh3yZEC+qRJhQIsXQrCKr2vOwabRCAyuJHgO7nr07LDGXcmFKVUk2M/
OC380OcvOiX04kO6yAzQptQYU4hU/h7L/pTM4uGTdFcdwoIK8hXawELaRRo40WQn
GH+Rme6QEAk=
=Kew6
-----END PGP SIGNATURE-----