PSIRT Advisories

FortiOS - Hardcoded SSLVPN cookie encryption key

Summary

A use of hard-coded cryptographic key vulnerability [CWE 321] in FortiOS SSLVPN may allow an attacker to retrieve the key by reverse engineering.

Affected Products

FortiOS 6.4.5 and below.
FortiOS 6.2.8 and below.
FortiOS 6.0.12 and below.
FortiOS 5.6.13 and below.


FortiOS-6K7K version 6.4.2.
FortiOS-6K7K version 6.2.6 and below.

Solutions

Upgrade to FortiOS 7.0.0 or above.
Upgrade to FortiOS 6.4.6 or above.
Upgrade to FortiOS 6.2.10 or above.
Upgrade to FortiOS 6.0.13 or above.
Upgrade to FortiOS 5.6.14 or above.


Upgrade to FortiOS-6K7K version 6.2.7 or above.


For new high-end F-Series Models (FG-1800F, FG-3800F, FG-4200F, FG-4400F) please upgrade to 6.2.9