Description
An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://fortiguard.com/psirt/FG-IR-19-186
Scores
CVSS v3
7.5
EPSS
0.0100
EPSS Percentile
58.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-331
Status
published
Products (1)
fortinet/fortios
< 5.6.9
Published
Oct 24, 2019
Tracked Since
Feb 18, 2026