DUHK Attack against Fortinet Products


When devices use ANSI X9.31 RNG (which was removed from the list of FIPS-approved random number generation algorithms in January 2016) to generate cryptographic key under a static seed and under use with long-lived security tunnels like SSL/TLS/SSH/IPSec, such devices are vulnerable to the DUHK attack.

Affected Products

For FortiOS:

FortiOS only affect 4.3.0 to 4.3.18 versions [1]:
* FortiOS 4.3.19 and 5.0.0 above are not affected
* FortiOS 4.2 and below versions are not affected

The following products are NOT affected [2]:


[1] FortiOS 4.3 used to implement the ANSI X9.31 RNG to decrypt TLS/IPSec traffic.
[2] Either X9.31 not been used or not meet the vulnerable conditions.


For FortiOS upgrade to FortiOS 4.3.19, 5.0.0 or above [3].

[3] It is now superseded by the CTR_DRBG implementation as per the NIST SP800-90 recommendations since FortiOS 5.0.0 GA release.


2016-11-22 Initial version. FortiOS DUHK attack vulnerability fixed.
2017-11-23 Add assessment for other products.


Fortinet is pleased to thank Matthew D. Green of the Johns Hopkins University and Shaanan Cohney of University of Pennsylvania for reporting this vulnerability under responsible disclosure.