FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description The Rapid7 vulnerability scanner reports the following security risk: "TLS/SSL Server Is Using Commonly Used Prime Numbers"
The detailed description is: "The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker can spend a significant amount of time to generate a lookup/rainbow table for a particular prime number. This lookup table can then be used to obtain the shared secret for the handshake and decrypt the session."
Standalone popular script/scanner testssl.sh (https://testssl.sh/) also produces a similar report: "experimental Common prime with 2048 bits detected"
That risk report is triggered against FortiOS admin webUI port (usually port 443).
Scope All FortiGate versions.
Solution The feasibility of such an attack under a 2048-bit DH group is currently assessed as uncertain and un-proven. FortiOS has no plan to address this issue reported on the admin webUI port.
Customers should be advised to use a DH group of 2048 bits or above, by using the following CLI command in FortiOS:
