Talk about a wild goose chase…
According to a few recently published/released security blogs and podcasts there’s a “new” vulnerability out there and it’s a DUHKing whopper.
This “brand new” vulnerability leverages a flaw in ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. Attackers who employ the “new” DUHK exploit are able to to recover secret encryption keys from vulnerable implementations of FortiOS software.
We wanted to take a moment or two to spend a bit of time explaining what exactly’s going on and why we don’t think it’s something a majority of people out there have to worry about.
Who’s vulnerable DUHK?
According to researchers at John Hopkins University (see below) anybody who’s VPN uses FortiOS 4.3.0 to FortiOS 4.3.18 is vulnerable to DUHK. The paper says that any encrypted communication passed through the affected VPNs aren open to unauthorized decryption. Business data, login credentials, credit card data, you name it, it’s all out in the DUHKing open. (<- see what I did there?)
Should you be worried?
Not if you’ve updated FortiOS beyond 4.3.18.
Turns out, despite all the “sky is falling” news regarding each “flavor of the week” cyber-threat, DUHK’s no spring chicken (heh, another bird pun) and Fortinet’s already plucked its feathers (I promise that’s it).
Fortinet stopped using ANSI X9.31 all together in 2014 with the initial release of Fortinet 5.X. It’s been a non-issue for the company since 2016 and the release of 4.3.19.
So is DUHK actually all that much of a threat?
No, not really. It’s goose was cooked before it could even fly the coop.
However, if you’re a legacy user and still using a version of FortiOS 4.3.X from before November 2016 then, yeah, you might be facing some level of exposure.
The majority of people who’d be affected by this are legacy users and anyone who’s evolved their security posture and upgraded their software/hardware since then should be absolutely fine and not have to worry.
What’s Security7 recommend?
Update your FortiOS if you’re running anything less than FortiOS 4.3.19. Other than that you’re probably fine.
If you are running FortiOS 4.3.18 or earlier and need more advice you should contact us. If this isn’t the kind of thing you want to manage on your own you should be thinking about employing an MSSP or MSP to handle it for you. We can promise you that none of our customers would be this behind curve when it comes to running up to date software.
Fortinet DUHK Vulnerability – https://blog.fortinet.com/2017/10/25/the-duhk-vulnerability
DUHK Attacks – https://duhkattack.com/
John Hopkins University – https://duhkattack.com/paper.pdf