Some Fortinet Products Shipped With Hardcoded Encryption Keys (zdnet.com) 21
Fortinet, a vendor of cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception. From a report: The hardcoded encryption key was found inside the FortiOS for FortiGate firewalls and the FortiClient endpoint protection software (antivirus) for Mac and Windows. These three products used a weak encryption cipher (XOR) and hardcoded cryptographic keys to communicate with various FortiGate cloud services. The hardcoded keys were used to encrypt user traffic for the FortiGuard Web Filter feature, FortiGuard AntiSpam feature, and FortiGuard AntiVirus feature. A threat actor in a position to observe a user or a company's traffic would have been able to take the hardcoded encryption keys and decrypt this weakly encrypted data stream.
Newfangled technology... bah! (Score:5, Insightful)
How long have we had SSL/TLS? I guess those newfangled technologies are not as trustworthy as reliable old XOR.
Sigh. The state of the art in computer security is so depressing.
Re: (Score:1)
Re:Newfangled technology... bah! (Score:4, Insightful)
B-b-b-but it's a security product! It's secure because we say it is! We don't have to be, you know, actually secure because we have the word "security" in our product name.
It's kinda scary just how many gaping, CS-101-level holes there are in security products: A/V, firewalls, "trusted" anything, they're often far worse than the other stuff they're supposed to be securing.
Re: (Score:2)
XOR by itself is really secure, it just depends on what you're XOR-ing your data with...
Re: (Score:2)
Re: (Score:2)
ROT13 is only half secure. That is why you should always apply ROT13 twice.
Danger Sign (Score:5, Insightful)
It seems to me that making these kinds of incredibly basic security mistakes- and weak encryption and hard coded keys are separate basic mistakes- should be a sign to steer clear of this vendor. If they screw up established technology this badly, you shouldn't trust the security of anything they do. That's the kiss of death for a company that's selling firewalls and antivirus.
That's what I told the devs at a security company (Score:2)
Developers generally aren't very good at security yet. That includes developers at security companies, unfortunately.
Fireeye had a huge whole in their appliances because they made atrocious mistakes with their web GUI. Beginner level stuff. Fireeye has people who are very smart about the very particular aspect of security they are working on, but they were clueless about other areas. Their stock list most of its value the week that the vulnerabilities were exposed.
Fireeye is one of the examples I used wh
Re: (Score:2)
It seems to me that making these kinds of incredibly basic security mistakes- and weak encryption and hard coded keys are separate basic mistakes- should be a sign to steer clear of this vendor. If they screw up established technology this badly, you shouldn't trust the security of anything they do. That's the kiss of death for a company that's selling firewalls and antivirus.
Indeed. These are the absolute basics. Whoever does not get these right cannot be trusted with anything more complex.
Re: Danger Sign (Score:3)
They also disable TLS certificate validation by default throughout their code in FortiSIEM: https://packetstormsecurity.co... [packetstormsecurity.com]
Even after being notified, they still won't make a permanent fix. They expect both new and existing customers to follow a workaround guide... Which I'm sure most won't do
Please check your headline (Score:4, Funny)
It appears you've misspelled Fortnite.
XOR Is An Encryption Cipher? (Score:2)
XOR Is An Encryption Cipher? Who knew?
I guess they decided this was way stronger that ROT13, which replaced their original algorithm ROT26.
As a user of FortiGates... (Score:2)
I opened a priority ticket with them to verify, and the older hardware is not supported. The latest info from support is that FortiOS version 6.0.7 _is_ affected, and that older hw like the 200D is not patchable, since the 6.2.x train which fixes the problem is not available for that platform. I think this will be a painful experience by the time it's over, both for Fortinet and customers. Still hoping they come back and say that there is a 6.0.8 or something specifically to address this issue with sligh
Re: (Score:2)
Re: As a user of FortiGates... (Score:2)
Well I know _someoneâ(TM)s_ gonna have to replace them. I donâ(TM)t imagine Fortinet will buy us new E-series boxes, but maybe Iâ(TM)ll be pleasantly surprised.
Just to clarify, the zdnet article says 6.0.7 fixes the issue, but the official fortinet site says 6.0.7 is vulnerable. https://fortiguard.com/psirt/FG-IR-18-100
Re: (Score:2)
Re: (Score:2)
Thank you for the feedback! I did indeed post that second post from my IOS device.
That sucks bro. (Score:2)
My Fortnite installed fine. Waiting that long would be a real bummer.