PSIRTFortiOS DRBG insufficient entropy
Summary
FortiGate models which do not contain and embedded TRNG may suffer from insufficient entropy ("seed") in the CTR DRBG random data software generator, in their default configuration.
Insufficient randomness of the software source used to seed FortiOS' random number generator enables theoretical and experimental attacks. When FortiOS acts as a TLS client with an RSA handshake and mutual ECDSA authentication, it may be possible to recover the long term ECDSA secret via the help of flush+reload side channel attacks, henceforth breaking the TLS connection's confidentiality.
Affected Products
The impact tremendously differs between FortiOS running on FortiGate hardware and VM FortiOS.
The attack is only feasible within certain circumstances, on VM FortiOS instances, and only if the attacker is able to successfully execute a flush-reload side channel attack on the VM's host system. Furthermore, the attacker must be able to have FortiOS' TLS client connect to an attacker-controlled malicious TLS server repeatedly (which would require a previously successful different attack).
Solutions
* All FortiOS models support Araneus USB TRNG hardware tokens, starting from FortiOS 5.0.10. The tokens are used as a hardware entropy source to seed FortiOS' DRBG, effectively solving the issue. * The following models have a built-in hardware entropy source to seed the DRBG: FortiGate E/F models using ASIC CP9 starting from FortiOS 5.6.1 and 6.0.0 FortiGate E models using ASIC SOC3 starting from FortiOS 5.6.6, 6.0.2 and 6.2.0 FortiGate F models using ASIC SOC4 NOTE: to check for the presence of CP9 or SOC3 ASIC chips, use the following CLI command: # get hardware status Model name: FortiGate-xxx ASIC version: SOC3 or CP9 * FortiOS Intel CPU based models support Intel's rdseed instruction as a hardware entropy source for the DRBG, starting from FortiOS 6.0.9 and 6.2.2. NOTE: To check for rdseed support, use the following CLI command: #fnsysctl cat /proc/cpuinfo flags : rdseed * FortiOS VM instances are able to use the Intel's rdseed instruction of the VM's host, IF the host supports it AND exposes it to the VMs (this is the case as of this writing for hosts of AWS C5 and GCP) * FortiOS VM instances also support the Araneus USB TRNG solution. Reseeding Improvement: Starting from FortiOS 6.0.9 and 6.2.3, FortiGates working in normal mode (as in "not in FIPS mode") support entropy source reseeding periodically. This improvement mitigates another potential risk vector, ie. "the FortiOS CTR DRBG implementation ... has no explicit reseeding" risk disclosed in the referenced paper. Workarounds: Host FortiOS VM instances on dedicated VM host to avoid side channel attacks. 2019-10-18: Initial version. 2020-02-13: Add Intel rdseed support on 6.0.9. 2020-02-13: Add reseeding improvement info.
Acknowledgement
Fortinet is pleased to thank Shaanan Cohney of the University of Pennsylvania for reporting this vulnerability under responsible disclosure.