FortiOS, FortiAuthenticator - Disclosure of private keys corresponding to Apple (APNS) and Google (GCM) certificates

Summary

A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate and FortiAuthenticator may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.

The potentially exposed private keys have been revoked, please upgrade to the versions provided in the solutions to support push proxy.

Affected Products

FortiOS version 6.4.0 through 6.4.1
FortiOS version 6.2.0 through 6.2.9
FortiOS version 6.0.0 through 6.0.13
FortiAuthenticator version 6.1.0
FortiAuthenticator version 6.0.0 through 6.0.4
FortiAuthenticator 5.5 all versions

Solutions

Please upgrade to FortiGate version 6.4.2 or above.
Please upgrade to FortiOS version 6.2.10 or above
Please upgrade to FortiOS version 6.0.14 or above
Please upgrade to FortiAuthenticator version 6.2.0 or above
Please upgrade to FortiAuthenticator version 6.1.1 or above
Please upgrade to FortiAuthenticator version 6.0.5 or above

Workaround in FortiOS:
Disable the FTM push service by using the below commands:
config system ftm-push
set status disable
end

Acknowledgement

Fortinet is pleased to thank Independent security researcher Tom Pohl (https://twitter.com/tompohl) for reporting this vulnerability under responsible disclosure.