Fortinet Solutions for 18 Months Included Encryption Keys

Built-in encryption keys in Fortinet
Written by Valdis Koks

Three Fortinet’s products had built-in encryption keys that exposed customer data to passive interception. It took the company more than six months to fix the problem.

Built-in encryption keys were found in FortiOS (version 6.0.6 and below) for FortiGate firewalls and in FortiClient antivirus software for macOS (6.2.1 and below) and Windows (6.0.6 and below). These products use weak security encryption (XOR) and built-in cryptographic keys to communicate with various FortiGate cloud services.

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages.” — report FortiGuard Labs developers.

These keys were used to encrypt user traffic while running the functions of the web filter, antispam and antivirus in FortiGuard. As a result, an attacker could monitor the traffic of a user or company and could use hard-coded keys and decrypt data streams.

In this case, in the hands of the attacker could pass:

  • Full HTTP or HTTPS links visited by users that are checked by Web Filter
  • Email data that is being tested through AntiSpam
  • Anti-virus data that is passed for testing to the Fortinet cloud.

An attacker can also use the built-in encryption key to modify and re-encrypt responses and thus block warnings about the detection of malware or URLs.

In May 2018, SEC Consult Security Specialist Stefan Viehböck discovered problems in three Fortinet products.

Read also: Experts do not advise to restart the computer after an encryptor attack

Although Fortinet was informed of the problems in May 2018, the company confirmed their presence only three weeks later. Fixing of Vulnerability took even longer – Fortinet only removed encryption keys from the latest versions of FortiOS in March 2019. It then took the company another eight months to remove them from the old versions, and the latest patch was released earlier this month.


Now users are advised to upgrade FortiOS to version 6.0.7 or 6.2.0 as soon as possible, FortiClientWindows to version 6.2.0, and FortiClientMac to version 6.2.2.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment