Fortinet FortiManager Hard-Coded Key Vulnerability Allowing Decryption of Sensitive Data

A vulnerability exists in Fortinet FortiManager versions 7.6.0 to 7.6.1, 7.4.0 to 7.4.5, 7.2.0 to 7.2.9, and all versions of 7.0 and 6.4. This vulnerability involves the use of a hard-coded cryptographic key to encrypt sensitive data, which can be exploited by an attacker with JSON API access permissions. Even with the 'private-data-encryption' setting enabled, some secrets can be decrypted, potentially leading to the extraction of sensitive internal data from the system.

Impact

Exploitation of this vulnerability allows for the decryption of certain encrypted passwords, which can then be used to access sensitive data from memory. There is a possibility, although unconfirmed, that this could lead to the extraction of sensitive internal data from the system.

Reproduction

The vulnerability can be reproduced by using the FortiManager JSON-RPC API. After setting a password, the encrypted buffer can be retrieved and decrypted using the publicly known key associated with CVE-2019-6693. This process can be automated with a Python script available in the Orange CERT-CC GitHub repository.

Remediation

Users are advised to upgrade FortiManager to version 7.2.10, 7.4.6 or 7.6.2.