A vulnerability in the outdated ANSI X9.31 random number generator (RNG) can allow attackers to recover encryption keys and read data passing through VPN connections and encrypted web browser sessions, researchers warned.
The vulnerability has been dubbed DUHK (Don’t Use Hard-coded Keys) and it has been found to affect the products of at least a dozen vendors. The issue was discovered by cryptography experts Shaanan Cohney, Nadia Heninger, and Matthew Green.
ANSI X9.31 is a pseudorandom number generator that was standardized in 1985 and it was compliant with the Federal Information Processing Standards (FIPS) requirements until January 2016. The RNG relies on a static key to generate random numbers and that key must remain secret in order for the system to be secure.
However, some companies implemented X9.31 with a static key that has been stored directly in the source code of the product. This allows an attacker to obtain the key from the application’s source code or binary and use it to decrypt communications associated with that product.
In some cases, an attacker may be able to recover the private key in just a few seconds via the DUHK attack, which works only if the RNG is used directly to generate crypto keys and if the attacker can obtain some of the generated numbers.
The weakness has been known since 1998, but neither NIST nor entities involved in the FIPS standardization process specified a method for securely generating the key.
An analysis of hundreds of products that implemented the X9.31 RNG revealed that 12 of them had used static hardcoded keys in the source code, leaving their users vulnerable to attacks.
The list of affected products included the BeCrypt Cryptographic Library, Cisco Aironet, DeltaCrypt FIPS Module, Fortinet’s FortiOS, MRV Communications’ LX-4000T/LX-8020S, Neoscale’s CryptoStor, Neopost’s Postal Security Devices, Renesas’ AE57C1, TechGuard’s PoliWall-CCF, Tendyron’s OnKey193, ViaSat’s FlagStone Core, and the Vocera Cryptographic Module. Many of the affected vendors have since removed the use of X9.31 from their products.
The researchers tested the practicality of the attack method against Fortinet’s FortiGate VPN gateway products, which run the FortiOS operating system. An Internet scan conducted this month showed that there are more than 25,000 Fortinet devices that are vulnerable and exploitable.
“And this count is likely conservative, since these were simply the devices that bothered to answer us when we scanned. A more sophisticated adversary like a nation-state would have access to existing VPN connections in flight,” Green explained in a blog post.
The vulnerability affects Fortinet devices running FortiOS versions 4.3.0 through 4.3.18. The vendor addressed the issue, which it tracks as CVE-2016-8492, last year with the release of versions 4.3.19 and 5.0.
There is no evidence of DUHK attacks in the wild and the researchers who discovered the flaw say they don’t plan on releasing any code used in their implementation of the method.
Furthermore, while the actual key recovery might be easy, a real-world attack exploiting this vulnerability is difficult to conduct. However, the flaw could be highly useful for a state-sponsored actor such as the NSA, which has far greater capabilities compared to the average threat group. It’s also worth mentioning that the attack is passive so it would not be easy to detect, researchers said.
A few years ago, the NSA was accused of promoting the use of the backdoored Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG). However, experts have now pointed out that Dual EC was not as widely used as X9.31.