The ROBOT Attack - Return of Bleichenbacher's Oracle Threat (HTTPS) Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-302 Final 1 1 2018-08-27T00:00:00 Current version 2018-08-27T00:00:00 2018-08-27T00:00:00 A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key.FortiOS are affected by the following two CVEs:CVE-2018-9192: ROBOT vulnerability reported under SSL Deep Inspection when CPx being usedCVE-2018-9194: ROBOT attack under VIP SSL offloading when CPx being usedFortiOS for admin port 443 is NOT vulnerable to the ROBOT attack. Information disclosure FortiOSCVE-2018-9192:5.2 branch: not vulnerable5.4 branch: 5.4.6 to 5.4.95.6 branch: not vulnerable6.0 branch: 6.0.0 to 6.0.1CVE-2018-9194:5.2 branch: not vulnerable5.4 branch: 5.4.6 to 5.4.95.6 branch: not vulnerable6.0 branch: 6.0.0 to 6.0.1The following Fortinet products are NOT affected:FortiSwitchFortiAPFortiAnalyzerFortiMailfortiManagerFortiWebDetails:CVE-2018-9192 - only when all of the conditions below are met:1. The model supports content processor (CPx) andKXP traffic acceleration is enabled (enabled is the default value)2. SSL Deep Inspection UTM profile is usedCVE-2018-9194 - only when all of the conditions below are met:1. The FortiGate model supports content processor (CPx) andKXP traffic acceleration is enabled (enabled is the default value)2. VIP SSL offloading is used [1][1] A typical VIP SSL offloading CLI config (only shows key CLI configs):config firewall vipedit [vip-name]set type server-load-balanceset server-type httpsnextendconfig firewall policyedit [policy-id]set dstaddr [vip-name]set utm-status enableset ssl-ssh-profile [profile-name]nextend Upgrade to FortiOS 6.0.2 and above in branch 6.0, or to 5.4.10 and above in branch 5.4 (FortiOS 5.2 and 5.6 branches not impacted).Workarounds:For CVE-2018-9192, only one workaround is available:A working workaround consists in disabling KXP traffic acceleration:config system globalset proxy-kxp-hardware-acceleration disableendFor CVE-2018-9194, three types of workaround are available:One workaround consists in disabling KXP traffic acceleration:config system globalset proxy-kxp-hardware-acceleration disableendAlso user can avoid such attack by disabling RSA ciphersuites in TLS protocol, by perform one of the following two CLI settings: By ensure only using PFS (Perfect Forward Secrecy) ciphers:config firewall vipedit [vip-name]set type server-load-balanceset server-type httpsset ssl-pfs require (only using PFS ciphers)nextend By only specific custom ciphers without using RSA:config firewall vipedit [vip-name]set type server-load-balanceset server-type httpsconfig ssl-cipher-suiteseditset cipher (ciphers not include TLS-RSA-xxx)nextendnextendEdited on: 13-10-2022 https://fortiguard.fortinet.com/psirt/FG-IR-17-302 The ROBOT Attack - Return of Bleichenbacher's Oracle Threat (HTTPS) https://robotattack.org/ https://robotattack.org/ https://www.kb.cert.org/vuls/id/144389 https://www.kb.cert.org/vuls/id/144389 Fortinet is pleased to thank "Adam Kavan of Professional Research Consultants" report CVE-2018-9192 under responsible disclosure. Fortinet is pleased to thank "Lars Müller of BTC AG" report CVE-2018-9194 under responsible disclosure. CVE-2018-9192 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-17-302 The ROBOT Attack - Return of Bleichenbacher's Oracle Threat (HTTPS) Reference> https://robotattack.org/ https://robotattack.org/ https://www.kb.cert.org/vuls/id/144389 https://www.kb.cert.org/vuls/id/144389