The vulnerability stands for Don't Use Hard-coded Keys and can be exploited to recover encryption keys expose VPN connections, payment information, Intranet information, private enterprise data and several other encrypted communications carried out through an exploited device, according to a whitepaper detailing the attack.
The exploit was discovered by Shaanan Cohney and Nadia Heninger of the University of Pennsylvania and Matthew D. Green of Johns Hopkins University. The team developed the attack by reverse engineered FortiGate firmware images and found the hard-coded seed key, observed traffic coming from the affected device and using the seed key, and brute-forced encrypted data to guess the rest of the encryption parameters.
The series of exploits ultimately allowed the researchers to determine the main encryption key. The attack takes up to four minutes to carry out and affects Fortinet FortiGate devices using FortiOS 4.3.0 to FortiOS 4.3.18.
Researchers found more than 23,000 older Fortinet 4.x devices exposed online at the time of their paper was written.
The vulnerability is caused by the usage of the ANSI X9.31 Random Number Generator (RNG) in conjunction with hardware vendors using a hardcoded "seed key" for the ANSI X9.31 RNG algorithm. Researchers said normally, vendors should generate a random seed key at device startup or before launching the ANSI X9.31 algorithm to prevent exploits.
The researchers disclosed the vulnerability to Fortinet in October 2016 to which the firm responded by releasing a patch for affected versions of FortiOS.
A similar flaw was spotted in Cisco Aironet devices. Researchers reported the flaw Cisco in June 2017 however, after performing an internal investigation, Cisco determined that the affected software versions had all reached end-of-support status. Vulnerabilities like this this is are a prime example of how there's no magic bullet to stop malware.
“Companies cannot count on firewalls or any other type of security system to keep them protected from all forms of malware. Security is an evolving industry and new vulnerabilities are constantly surfacing,” Plixer Chief Executive Officer Michael Patterson said. “Beyond keeping systems patched, security practitioners need to assume malware is already present on the network.”
Patterson added sometimes the only way to uncover an infection is to watch for the tell tail signs using network traffic analytics and that researchers may have to wait until the malware makes a move before they can catch it.