Headline
CVE-2022-22302: Fortiguard
A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.
** PSIRT Advisories**
FortiOS, FortiAuthenticator - Disclosure of private keys corresponding to Apple (APNS) and Google (GCM) certificates
Summary
A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate and FortiAuthenticator may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.
The potentially exposed private keys have been revoked, please upgrade to the versions provided in the solutions to support push proxy.
Affected Products
FortiOS version 6.4.0 through 6.4.1
FortiOS version 6.2.0 through 6.2.9
FortiOS version 6.0.0 through 6.0.13
FortiAuthenticator version 6.1.0
FortiAuthenticator version 6.0.0 through 6.0.4
FortiAuthenticator 5.5 all versions
Solutions
Please upgrade to FortiGate version 6.4.2 or above.
Please upgrade to FortiOS version 6.2.10 or above
Please upgrade to FortiOS version 6.0.14 or above
Please upgrade to FortiAuthenticator version 6.2.0 or above
Please upgrade to FortiAuthenticator version 6.1.1 or above
Please upgrade to FortiAuthenticator version 6.0.5 or above
Workaround in FortiOS:
Disable the FTM push service by using the below commands:
config system ftm-push
set status disable
end
Acknowledgement
Fortinet is pleased to thank Independent security researcher Tom Pohl (https://twitter.com/tompohl) for reporting this vulnerability under responsible disclosure.