FortiOS 6.0.6 / FortiClientWindows 6.0.6 / FortiClientMac 6.2.1 XOR Encryption Vulnerability

ID 1337DAY-ID-33600
Type zdt
Reporter Stefan Viehbock
Modified 2019-11-29T00:00:00


Fortinet products, including FortiGate and Forticlient, regularly send information to Fortinet servers using XOR "encryption" with a static key. FortiClientWindows versions 6.0.6 and below, and FortiClientMac versions 6.2.1 and below. After this advisory was released, Fortinet has confirmed that only FortiOS version 6.2.0 includes the patch.

              title: FortiGuard XOR Encryption
            product: Multiple Fortinet Products (see Vulnerable / tested versions)
 vulnerable version: Multiple (see Vulnerable / tested versions)
      fixed version: Multiple (see Solution)
         CVE number: CVE-2018-9195
             impact: High
by: Stefan Viehböck (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America



Vendor description:
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."


Business recommendation:
The vendor provides a patch and users of affected products are urged to
immediately upgrade to the latest version available.

Vulnerability overview/description:
Fortinet products, including FortiGate and Forticlient regularly send
information to Fortinet servers (DNS: on
- UDP ports 53, 8888 and
- TCP port 80 (HTTP POST /fgdsvc)

This cloud communication is used for the FortiGuard Web Filter feature (,
FortiGuard AntiSpam feature (
and FortiGuard AntiVirus feature (

The messages are encrypted using XOR "encryption" with a static key.

The protocol messages contain the following types of information:

**Serial number of the Fortinet product installation** (product type + unique ID).
This information allows an attacker who can **passively monitor** internet traffic to:
- learn which Fortinet products and product types an organization uses
  (this is valuable for information gathering, see EquationGroup Fortigate exploits)
- learn which FortiClient installations are part of an organization
- use the FortiClient serial number as a unique identifier to track an individual as
  he/she travels the world

**Full HTTP URLs of users web surfing activity** (Web Filter feature).
This information allows an attacker who can **passively monitor** internet traffic
to spy on users' web surfing activity. In cases where SSL inspection is enabled,
even the URLs of HTTPS-encrypted communication are sent via this protocol,
effectively breaking the confidentiality of SSL/TLS.

**Unspecified email data** (AntiSpam feature).
We do not have any further information on what kind of information is sent by the
AntiSpam feature.

**Unspecified AntiVirus data** (AntiVirus feature).
We do not have any further information on what kind of information is sent by the
AntiVirus feature.

By **intercepting and manipulating** internet traffic an attacker can:
Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus features.

Proof of concept:
The following Python 3 script decrypts a FortiGuard message (the static XOR key
has been removed from this advisory).

from itertools import cycle

def forti_xor(s1):
    xor_key = **removed**
    message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key)))
    return message



In this case the encrypted message contents are:
'\x02\x02\x01\x04\x04\x00\x00\x00FGVMEV0000000000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\[email protected]\x00\x00\x00\x00\x00\x00...'

Another example:

Vulnerable / tested versions:
The following FortiOS versions are affected according to the vendor:
* FortiOS 6.0.6 and below
* FortiClientWindows 6.0.6 and below
* FortiClientMac 6.2.1 and below

The security advisory of the vendor can be found at:

Vendor contact timeline:
2018-05-17: Contacting vendor through [email protected], sending advisory with
            public PGP key
2018-05-17: Auto-Response: "Thank you for contacting us regarding your
            inquiry. We have created a PSIRT ticket for this inquiry"
2018-05-17: Response: "Thank you to report us this vulnerability. I created
            an internal incident and I will communicate further with you while
            I'm investigating the impact of this."
2018-05-28: Requesting update, "If we don't get an appropriate response (see my
            initial email) by the end of next week, we will consider disclosing
            the vulnerability without further coordination."
2018-05-28: Auto-Response: "Thank you for contacting us regarding your inquiry.
            We have created a PSIRT ticket for this inquiry"
2018-06-05: Requesting update again, "This is the final attempt to contact you",
            plus reaching out to Fortinet via Twitter, LinkedIn.
2018-06-05: First response after 3 weeks, developers are working on a fix,
            "Please therefore kindly wait for further updates, while we are
            coordinating various stakeholders (including FortiGuard servers
            maintainers) for a fix."
2018-06-06: Requesting conference call.
2018-06 - 2019-11: Multiple conference calls, discussing technical details, agreeing
            on disclosure time
2019-03-28: Fix released in FortiOS 6.2.0
2019-04-01: Fix issued on FortiGuard server side
2019-11-13: Fix released for FortiOS branch 6.0, version 6.0.7
2019-11-25: Public release of security advisory

The vendor provides updated versions for the affected products:
* FortiOS 6.0.7 or 6.2.0
* FortiClientWindows 6.2.0
* FortiClientMac 6.2.2

# [2019-12-04]  #