PSIRT Advisories

FortiOS - RSA SSH host key lost at shutdown

Summary

A key management error vulnerability [CWE-320] affecting the RSA SSH host key in FortiOS may allow an unauthenticated attacker to perform a man in the middle attack.

Affected Products

At least
FortiOS version 7.2.0
FortiOS version 7.0.1 through 7.0.6
FortiOS version 6.4.0 through 6.4.9

Solutions

Please upgrade to FortiOS version 7.2.2 or above
Please upgrade to FortiOS version 7.0.8 or above
Please upgrade to FortiOS version 6.4.10 or above

Acknowledgement

Fortinet is pleased to thank Samuel Leslie for bringing this issue to our attention under responsible disclosure.