5.8 - VU#111708

Executive Summary

Summary
Title	Fortigate UTM appliances share the same default CA certificate

Informations
Name	VU#111708	First vendor Publication	2012-11-02
Vendor	VU-CERT	Last vendor Modification	2012-11-02
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Cvss Base Score	5.8	Attack Range	Network
Cvss Impact Score	4.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#111708

Fortigate UTM appliances share the same default CA certificate

Original Release date: 02 Nov 2012 | Last revised: 02 Nov 2012

Overview

Fortigate UTM appliances that support SSL/TLS deep packet inspection share the same self-signed Fortigate CA certificate and associated private key across all devices. The private key, which has been compromised, allows attackers to create and sign fake certificates.

Description

Fortigate UTM appliances share the same self-signed Fortigate CA certificate. Companies that use these appliances for deep packet inspection will have most likely deployed the CA certificate to endpoint web browsers so certificate warnings will not be seen by an end-user. Since the associated private key has been compromised (published on the web), an attacker with a man-in-the-middle vantage point on the network will be able to simulate the behavior of the Fortigate appliance and eavesdrop on encrypted communications or spoof websites. Also, the attacker may digitally sign malicious software, spoofing the identity of the publisher.

Impact

Primarily at risk are users who have imported the compromised Fortigate CA certificate into their web browser or operating system. This risk applies equally within the company (connected to a network behind the Fortigate UTM appliance) as anywhere else. An attacker with a man-in-the-middle vantage point on the current network may be able to eavesdrop on encrypted communications. In addition, an attacker may falsify digital signatures such as Authenticode.

Solution

Install a new CA certificate

The vendor recommends the following steps be taken to address this vulnerability.

Admin creates/obtains a CA certificate for which only they have the private key.
Admin installs the CA certificate on FortiGate.
Admin uses "set caname xxx" to select that certificate for SSL deep inspection.

Disable the Fortigate CA certificate

Endpoints should not trust the self-signed Fortigate CA certificate. The following certificate information is for the certificate that should be distrusted:

Subject: "E = support@fortinet.com; CN = FortiGate CA; OU = Certificate Authority; O = Fortinet; L = Sunnyvale; S = California; C = US";
Thumbprint: 3e 20 7f 9a 6b d9 5c 7c 2b 89 11 67 d3 2f 57 87 2f 76 60 14

The preferrable way to distrust a CA certificate is to import it to the "Untrusted certificates" branch of the system certificate store. To continue the use of SSL/TLS deep packet inspection, a new, unique, CA certificate may be generated and imported into the Fortigate UTM appliance. To prevent users from experiencing certificate errors, that new CA certificate can be imported into web browsers. Chapter 6 of the FortiOS handbook contains instructions on how to replace the default CA certificate.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Fortinet, Inc.	Affected	07 Sep 2012	30 Oct 2012

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	4.6	AV:A/AC:H/Au:N/C:C/I:N/A:N
Temporal	3.7	E:F/RL:W/RC:UC
Environmental	3.7	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=misc_utm_chapter.61.13.html
http://kb.fortinet.com/kb/viewContent.do?externalId=FD32404
http://www.fortinet.com/solutions/unified_threat_management.html
https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt
http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/js/html/wwhelp.htm

Credit

Thanks to Bitwiper for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:CVE-2012-4948
Date Public:22 Oct 2012
Date First Published:02 Nov 2012
Date Last Updated:02 Nov 2012
Document Revision:19

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/111708

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-310	Cryptographic Issues
50 %	CWE-295	Certificate Issues

CPE : Common Platform Enumeration

Type	Description	Count
Hardware	Elitecore Cyberoam Unified Threat Management cpe:2.3:h:elitecore:cyberoam_unified_threat_management::::::::	1
Hardware	Fortinet Fortigate-1000c cpe:2.3:h:fortinet:fortigate-1000c:-:::::::*	1
Hardware	Fortinet Fortigate-100d cpe:2.3:h:fortinet:fortigate-100d:-:::::::*	1
Hardware	Fortinet Fortigate-110c cpe:2.3:h:fortinet:fortigate-110c:-:::::::*	1
Hardware	Fortinet Fortigate-1240b cpe:2.3:h:fortinet:fortigate-1240b:-:::::::*	1
Hardware	Fortinet Fortigate-200b cpe:2.3:h:fortinet:fortigate-200b:-:::::::*	1
Hardware	Fortinet Fortigate-20c cpe:2.3:h:fortinet:fortigate-20c:-:::::::*	1
Hardware	Fortinet Fortigate-300c cpe:2.3:h:fortinet:fortigate-300c:-:::::::*	1
Hardware	Fortinet Fortigate-3040b cpe:2.3:h:fortinet:fortigate-3040b:-:::::::*	1
Hardware	Fortinet Fortigate-310b cpe:2.3:h:fortinet:fortigate-310b:-:::::::*	1
Hardware	Fortinet Fortigate-311b cpe:2.3:h:fortinet:fortigate-311b:-:::::::*	1
Hardware	Fortinet Fortigate-3140b cpe:2.3:h:fortinet:fortigate-3140b:-:::::::*	1
Hardware	Fortinet Fortigate-3240c cpe:2.3:h:fortinet:fortigate-3240c:-:::::::*	1
Hardware	Fortinet Fortigate-3810a cpe:2.3:h:fortinet:fortigate-3810a:-:::::::*	1
Hardware	Fortinet Fortigate-3950b cpe:2.3:h:fortinet:fortigate-3950b:-:::::::*	1
Hardware	Fortinet Fortigate-40c cpe:2.3:h:fortinet:fortigate-40c:-:::::::*	1
Hardware	Fortinet Fortigate-5001a-Sw cpe:2.3:h:fortinet:fortigate-5001a-sw:-:::::::*	1
Hardware	Fortinet Fortigate-5001b cpe:2.3:h:fortinet:fortigate-5001b:-:::::::*	1
Hardware	Fortinet Fortigate-5020 cpe:2.3:h:fortinet:fortigate-5020:-:::::::*	1
Hardware	Fortinet Fortigate-5060 cpe:2.3:h:fortinet:fortigate-5060:-:::::::*	1
Hardware	Fortinet Fortigate-50b cpe:2.3:h:fortinet:fortigate-50b:-:::::::*	1
Hardware	Fortinet Fortigate-5101c cpe:2.3:h:fortinet:fortigate-5101c:-:::::::*	1
Hardware	Fortinet Fortigate-5140b cpe:2.3:h:fortinet:fortigate-5140b:-:::::::*	1
Hardware	Fortinet Fortigate-600c cpe:2.3:h:fortinet:fortigate-600c:-:::::::*	1
Hardware	Fortinet Fortigate-60c cpe:2.3:h:fortinet:fortigate-60c:-:::::::*	1
Hardware	Fortinet Fortigate-620b cpe:2.3:h:fortinet:fortigate-620b:-:::::::*	1
Hardware	Fortinet Fortigate-800c cpe:2.3:h:fortinet:fortigate-800c:-:::::::*	1
Hardware	Fortinet Fortigate-80c cpe:2.3:h:fortinet:fortigate-80c:-:::::::*	1
Hardware	Fortinet Fortigate-Voice-80c cpe:2.3:h:fortinet:fortigate-voice-80c:-:::::::*	1
Hardware	Fortinet Fortigaterugged-100c cpe:2.3:h:fortinet:fortigaterugged-100c:-:::::::*	1

Nessus® Vulnerability Scanner

Date	Description
2012-11-19	Name : The SSL certificate for this service was signed by a certificate authority (C... File : ssl_fortigate.nasl - Type : ACT_GATHER_INFO
2012-08-07	Name : The SSL certificate for this service was signed by a CA whose private key is ... File : ssl_cyberoam.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:07:30	Multiple Updates
2012-11-29 21:21:46	Multiple Updates
2012-11-29 21:20:28	Multiple Updates
2012-11-14 17:22:17	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	2
CPE ID(s)	30
Nessus® Exploit(s)	2

	Related
5.8	CVE-2012-3372
5.3	CVE-2012-4948
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)