PSIRT Advisory

The ROBOT Attack - Return of Bleichenbacher's Oracle Threat

Summary

A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key.


FortiOS are affected by the following two CVEs:

CVE-2018-9192: ROBOT attack under SSL Deep Inspection when CPx being used

CVE-2018-9194: ROBOT attack under VIP SSL offloading when CPx being used

Impact

Information Exposure Through Discrepancy

Affected Products

FortiOS are affected:


CVE-2018-9192:

5.2 branch: not vulnerable

5.4 branch: 5.4.6 to 5.4.9

5.6 branch: not vulnerable

6.0 branch: 6.0.0 to 6.0.1


CVE-2018-9194:

5.2 branch: not vulnerable

5.4 branch: 5.4.6 to 5.4.9

5.6 branch: not vulnerable

6.0 branch: 6.0.0 to 6.0.1


The following Fortinet products are NOT affected:


FortiSwitch

FortiAP

FortiAnalyzer

FortiMail

fortiManager

FortiWeb


FortiOS affect details:


CVE-2018-9192  - only when all of the conditions below are met:


1. The model supports content processor (CPx) and KXP traffic acceleration is enabled (enabled is the default value)

2. SSL Deep Inspection UTM profile is used


CVE-2018-9194 - only when all of the conditions below are met:


1. The FortiGate model supports content processor (CPx) and KXP traffic acceleration is enabled (enabled is the default value)

2. VIP SSL offloading is used [1]


[1] A typical VIP SSL offloading CLI config (only shows key CLI configs):

config firewall vip

  edit [vip-name]

    set type server-load-balance

  next

end

config firewall policy

  edit [policy-id]

    set dstaddr [vip-name]

    set utm-status enable

    set ssl-ssh-profile [profile-name]

  next

end

Solutions

Upgrade to FortiOS 6.0.2 and above in branch 6.0, or to 5.4.10 and above in branch 5.4 (FortiOS 5.2 and 5.6 branches not impacted).


Workarounds:


For CVE-2018-9192, only one workaround is available:

A working workaround consists in disabling KXP traffic acceleration (FortiOS 6.0 CLI as eg.):
config system global
set proxy-kxp-hardware-acceleration disable
end


For CVE-2018-9194, three types of workaround are available:

One workaround consists in disabling KXP traffic acceleration (FortiOS 6.0 CLI as eg.):
config system global
set proxy-kxp-hardware-acceleration disable
end

Also user can avoid such attack by disabling RSA ciphersuites in TLS protocol, by using one of the following two CLI settings:

o By ensure only using PFS (Perfect Forward Secrecy) ciphers:
config firewall vip
  edit [vip-name]
    set ssl-pfs require (only using PFS ciphers)
  next
end

o By only specific custom ciphers without using RSA:
config firewall vip
  edit [vip-name]
    config ssl-cipher-suites
      edit [suite-id]
        set cipher (ciphers not include TLS-RSA-xxx)
      next
    end
  next
end

* Please refer your local TAC for further help on apply the workarounds. 


Update History:

12-22-2017 Initial Version.

08-27-2018 Add CVE-2018-9192, CVE-2018-9194.

09-11-2018 Provide more workaround for CVE-2018-9194.

Acknowledgement

Fortinet is pleased to thank "Adam Kavan of Professional Research Consultants" report CVE-2018-9192 under responsible disclosure.

Fortinet is pleased to thank "Lars Müller of BTC AG" report CVE-2018-9194 under responsible disclosure.