Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0484
Information Disclosure Vulnerability in OpenSSL
10 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FortiGate (FortiOS) 5.x
FortiAuthenticator 3.x
FortiMail 5.x
FortiVoice
FortiRecorder
FortiADC D-Series models 1500D, 2000D and 4000D
FortiADC E-Series 3.x
Coyote Point Equalizer GX / LX 10.x
Publisher: FortiGuard
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0160
Reference: ESB-2014.0457
Original Bulletin:
http://www.fortiguard.com/advisory/FG-IR-14-011/
- --------------------------BEGIN INCLUDED TEXT--------------------
Information Disclosure Vulnerability in OpenSSL
Info
Risk 5 Critical
Date Apr 08 2014
Impact Information Disclosure
CVE ID CVE-2014-0160
Fixed In Firmware Special Release
An information disclosure vulnerability has been discovered in OpenSSL versions
1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access
sensitive information from memory by sending specially-crafted TLS heartbeat
requests.
Impact
Under certain circumstances, exploitation of this vulnerability can result in
the disclosure of sensitive information.
Affected Products
FortiGate (FortiOS) 5.x
FortiAuthenticator 3.x
FortiMail 5.x
FortiVoice
FortiRecorder
FortiADC D-Series models 1500D, 2000D and 4000D
FortiADC E-Series 3.x
Coyote Point Equalizer GX / LX 10.x
Solutions
A firmware update for FortiOS is available at http://support.fortinet.com.
This vulnerability is fixed in FortiOS version 5.0.7.
Firmware updates for FortiAuthenticator, FortiMail and FortiRecorder will be
available on Friday April 11th. Firmware release dates for other products are
pending.
The following workarounds are available:
1. Apply the mitigating IPS signature to interface policies on affected
FortiGate devices. The IPS signature was released in IPS update 4.476 and is
named "OpenSSL.TLS.Heartbeat.Information.Disclosure". Note that this will
affect traffic destined to the FortiGate and transit traffic. Follow the steps
below to configure the FortiGate firewall to use this signature:
1.1. Applying the signature to an IPS profile.
Use the following syntax to create a new IPS profile. The new profile will
reset SSL connections attempting to use the OpenSSL Heartbleed vulnerability.
config ips sensor
edit "ssl.heartbleed"
config entries
edit 1
set action reset
set rule 38307
set status enable
next
end
next
end
1.2. Define an SSL services group.
Note: This group is only provided as a sample service group. Include all SSL
service ports that are applicable in your environment.
config firewall service custom
edit "SSLVPN"
set tcp-portrange 10443
next
end
config firewall service group
edit "SSL-Services"
set member "HTTPS" "SSLVPN"
next
end
1.3. Apply this sensor to an interface policy (which applies to both local and
transit traffic) or regular firewall policy (transit traffic only).
Make sure the policy to which this sensor is applied is specific to SSL
services.
To apply an IPS signature to an interface policy, use the following steps:
Note: this policy will protect the FortiGate itself on the WAN1 interface and
all transit traffic arriving on the WAN1 interface for SSL services only.
config firewall interface-policy
edit 0
set interface "wan1"
set srcaddr "all"
set dstaddr "all"
set service "SSL-Services"
set ips-sensor-status enable
set ips-sensor "ssl.heartbleed"
next
end
2. Disable any vulnerable SSL services that are not mission critical.
References
http://heartbleed.com
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://www.us-cert.gov/ncas/alerts/TA14-098A
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU0YFMxLndAQH1ShLAQK6ARAAr5I/OYsXTl5hlHotEwl1REO/bNh/oKbE
jkt3gYDXlouyy6ajZb3FEjeKTfwJm6k7CBlrYMNdsPSmOwvOCtaVchB9Qryk+G49
snm8fG3XpTEIVRCXO4Vsv4/aHdzRjID9NYmt3QIXhn/eGimIJqCwJedvfNbiLwPW
EqKPjTanr+DSdYoJttZgGAL+TuAkc8CzNmFwHEyjApxJQ/Siv6RSlxEIKnxXTiy8
dO0KqkM9i03TrAD9C3j0aziIg3gDDjiFRzvlTwCqlx4CGQuDIQMxiEv7cGc4xv1U
03/I2FcgtHfldietel0ge7EMjtL6pURDFnbxEkviRG+IQpQngX7pTpvlV3YIBQUX
oAalW1qb12DnZlNHWy5ybpYcJg2Emefjcoj0SqWkYw3M0M3IkL6+11Y2/lrijOEZ
5WxRxh7DCiiEesLHjK7ajVswPOs22lOkLFhHr2FTVgsSyxN6uOXRxwF81iac0a0K
eGgVMorUetUkR6i68WkJiaNhO9YDUdjTPbVW9KEv5sS390IQ6P484IjkQct3Ld0d
LnAKVJ3CaBqeE7QVCupNR+bMUBRm9ALc/FDZIFHdHtGSYXAk/asmoLtRwq6nRurk
UecjZ2qzmo9dmdquVaRUCRA7YPAFmcd4eotc+Jfk9wr9W+3TaBowh1Hep9LL0Ssk
bbTp0GQKgEY=
=18+L
-----END PGP SIGNATURE-----