virus logo PSIRT

OpenSSL vulnerabilities - June 2015

description-logo Description

OpenSSL released a security advisory in June 2015 to announce multiple security vulnerabilities.

Impact Detail

Denial of service (CVE-2015-1788, CVE-2015-1789, CVE-2015-1792, CVE-2014-8176) and possible memory corruption (CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2014-8176).There is no known public exploit for any of the mentioned CVE in the OpenSSL advisory.

Solutions

With regards to the recent OpenSSL updates to address CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792, Fortinet will update OpenSSL for the following products that contain the affected versions of OpenSSL:
  • FortiOS 5.2.3 and earlier
  • FortiManager 5.2.2 and earlier
  • FortiAnalyzer 5.2.2 and earlier
  • FortiMail 5.0.8/5.1.5/5.2.4 and earlier
  • FortiAuthenticator (versions before 4.0)
  • AscenLink 7.2.4 and earlier
  • FortiRecorder 2.0 and earlier
  • FortiWan 4.0.2 and earlier
  • FortiClient Windows/Mac 5.2.3 and earlier
  • FortiClient Android 5.2.5 and earlier

Fortinet believes the exploitability and risk in these issues are low or non-existent, but the following workarounds are suggested for customers unable to deploy an update when available:
CVE-2015-1788 workaround: Limit access to features that validates TLS client authentication with a certificate
CVE-2015-1789 workaround: Limit access to features that validates TLS client authentication with a certificate or which verify CRLs when used as a TLS client
CVE-2015-1790 workaround: Limit access to devices that can import PKCS7.
CVE-2015-1791 workaround : Fortinet products are not affected.
CVE-2015-1792 workaround: Limit access to features that handles S/MIME messages.
Special consideration for CVE-2015-4000 “Logjam”:
See FortiGuard bulletin FG-IR-15-013http://www.fortiguard.com/advisory/FG-IR-15-013/\">FG-IR-15-013 for details.
The following products must be upgraded to the updated versions:
  • FortiOS 4.3.16, FortiOS 5.0.8 or above, FortiOS 5.2.3 or earlier
  • FortiManager 5.0.9 or earlier
  • FortiAnalyzer 5.0.9 or earlier
  • FortiAP 5.0.8 or earlier
  • AscenLink 7.2.3 or earlier
  • FortiADC 4.2.0 or earlier
  • FortiAuthenticator 3.1.0 or earlier
  • FortiCache 3.0.0 or earlier
  • FortiClient Windows/MAC 5.2.3 or earlier
  • FortiClient iOS 5.2.1 or earlier
  • FortiClient Android 5.2.6 or earlier
  • FortiDDoS 4.1.5 or earlier
  • FortiMail 4.3.10 or earlier
  • FortiRecorder 2.0.1 or earlier
  • FortiSandbox 2.0.0 or earlier
  • FortiVoice Enterprise 3.0.6 or earlier
  • FortiWeb 5.3.3 or earlier
  • FSSO build 235 or earlier

For all products, please contact Fortinet TAC support for updates on the patched release current ETA.

References
IR Number FG-IR-15-014
Date Jun 11, 2015
Severity Low
Impact Denial of service and memory corruption
CVE ID CVE-2014-8176 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792
CVRF Download