Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet

Some Fortinet Products Shipped With Hardcoded Encryption Keys (zdnet.com) 21

Fortinet, a vendor of cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception. From a report: The hardcoded encryption key was found inside the FortiOS for FortiGate firewalls and the FortiClient endpoint protection software (antivirus) for Mac and Windows. These three products used a weak encryption cipher (XOR) and hardcoded cryptographic keys to communicate with various FortiGate cloud services. The hardcoded keys were used to encrypt user traffic for the FortiGuard Web Filter feature, FortiGuard AntiSpam feature, and FortiGuard AntiVirus feature. A threat actor in a position to observe a user or a company's traffic would have been able to take the hardcoded encryption keys and decrypt this weakly encrypted data stream.
This discussion has been archived. No new comments can be posted.

Some Fortinet Products Shipped With Hardcoded Encryption Keys

Comments Filter:
  • by dskoll ( 99328 ) on Tuesday November 26, 2019 @02:53PM (#59458974) Homepage

    How long have we had SSL/TLS? I guess those newfangled technologies are not as trustworthy as reliable old XOR.

    Sigh. The state of the art in computer security is so depressing.

  • Danger Sign (Score:5, Insightful)

    by rgmoore ( 133276 ) <glandauer@charter.net> on Tuesday November 26, 2019 @03:04PM (#59459034) Homepage

    It seems to me that making these kinds of incredibly basic security mistakes- and weak encryption and hard coded keys are separate basic mistakes- should be a sign to steer clear of this vendor. If they screw up established technology this badly, you shouldn't trust the security of anything they do. That's the kiss of death for a company that's selling firewalls and antivirus.

    • Developers generally aren't very good at security yet. That includes developers at security companies, unfortunately.

      Fireeye had a huge whole in their appliances because they made atrocious mistakes with their web GUI. Beginner level stuff. Fireeye has people who are very smart about the very particular aspect of security they are working on, but they were clueless about other areas. Their stock list most of its value the week that the vulnerabilities were exposed.

      Fireeye is one of the examples I used wh

    • by gweihir ( 88907 )

      It seems to me that making these kinds of incredibly basic security mistakes- and weak encryption and hard coded keys are separate basic mistakes- should be a sign to steer clear of this vendor. If they screw up established technology this badly, you shouldn't trust the security of anything they do. That's the kiss of death for a company that's selling firewalls and antivirus.

      Indeed. These are the absolute basics. Whoever does not get these right cannot be trusted with anything more complex.

    • They also disable TLS certificate validation by default throughout their code in FortiSIEM: https://packetstormsecurity.co... [packetstormsecurity.com]

      Even after being notified, they still won't make a permanent fix. They expect both new and existing customers to follow a workaround guide... Which I'm sure most won't do

  • by Kevin108 ( 760520 ) on Tuesday November 26, 2019 @03:26PM (#59459150) Homepage

    It appears you've misspelled Fortnite.

  • XOR Is An Encryption Cipher? Who knew?

    I guess they decided this was way stronger that ROT13, which replaced their original algorithm ROT26.

  • I opened a priority ticket with them to verify, and the older hardware is not supported. The latest info from support is that FortiOS version 6.0.7 _is_ affected, and that older hw like the 200D is not patchable, since the 6.2.x train which fixes the problem is not available for that platform. I think this will be a painful experience by the time it's over, both for Fortinet and customers. Still hoping they come back and say that there is a 6.0.8 or something specifically to address this issue with sligh

  • My Fortnite installed fine. Waiting that long would be a real bummer.

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...