Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0484 Information Disclosure Vulnerability in OpenSSL 10 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiGate (FortiOS) 5.x FortiAuthenticator 3.x FortiMail 5.x FortiVoice FortiRecorder FortiADC D-Series models 1500D, 2000D and 4000D FortiADC E-Series 3.x Coyote Point Equalizer GX / LX 10.x Publisher: FortiGuard Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0160 Reference: ESB-2014.0457 Original Bulletin: http://www.fortiguard.com/advisory/FG-IR-14-011/ - --------------------------BEGIN INCLUDED TEXT-------------------- Information Disclosure Vulnerability in OpenSSL Info Risk 5 Critical Date Apr 08 2014 Impact Information Disclosure CVE ID CVE-2014-0160 Fixed In Firmware Special Release An information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests. Impact Under certain circumstances, exploitation of this vulnerability can result in the disclosure of sensitive information. Affected Products FortiGate (FortiOS) 5.x FortiAuthenticator 3.x FortiMail 5.x FortiVoice FortiRecorder FortiADC D-Series models 1500D, 2000D and 4000D FortiADC E-Series 3.x Coyote Point Equalizer GX / LX 10.x Solutions A firmware update for FortiOS is available at http://support.fortinet.com. This vulnerability is fixed in FortiOS version 5.0.7. Firmware updates for FortiAuthenticator, FortiMail and FortiRecorder will be available on Friday April 11th. Firmware release dates for other products are pending. The following workarounds are available: 1. Apply the mitigating IPS signature to interface policies on affected FortiGate devices. The IPS signature was released in IPS update 4.476 and is named "OpenSSL.TLS.Heartbeat.Information.Disclosure". Note that this will affect traffic destined to the FortiGate and transit traffic. Follow the steps below to configure the FortiGate firewall to use this signature: 1.1. Applying the signature to an IPS profile. Use the following syntax to create a new IPS profile. The new profile will reset SSL connections attempting to use the OpenSSL Heartbleed vulnerability. config ips sensor edit "ssl.heartbleed" config entries edit 1 set action reset set rule 38307 set status enable next end next end 1.2. Define an SSL services group. Note: This group is only provided as a sample service group. Include all SSL service ports that are applicable in your environment. config firewall service custom edit "SSLVPN" set tcp-portrange 10443 next end config firewall service group edit "SSL-Services" set member "HTTPS" "SSLVPN" next end 1.3. Apply this sensor to an interface policy (which applies to both local and transit traffic) or regular firewall policy (transit traffic only). Make sure the policy to which this sensor is applied is specific to SSL services. To apply an IPS signature to an interface policy, use the following steps: Note: this policy will protect the FortiGate itself on the WAN1 interface and all transit traffic arriving on the WAN1 interface for SSL services only. config firewall interface-policy edit 0 set interface "wan1" set srcaddr "all" set dstaddr "all" set service "SSL-Services" set ips-sensor-status enable set ips-sensor "ssl.heartbleed" next end 2. Disable any vulnerable SSL services that are not mission critical. References http://heartbleed.com https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 http://www.us-cert.gov/ncas/alerts/TA14-098A - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU0YFMxLndAQH1ShLAQK6ARAAr5I/OYsXTl5hlHotEwl1REO/bNh/oKbE jkt3gYDXlouyy6ajZb3FEjeKTfwJm6k7CBlrYMNdsPSmOwvOCtaVchB9Qryk+G49 snm8fG3XpTEIVRCXO4Vsv4/aHdzRjID9NYmt3QIXhn/eGimIJqCwJedvfNbiLwPW EqKPjTanr+DSdYoJttZgGAL+TuAkc8CzNmFwHEyjApxJQ/Siv6RSlxEIKnxXTiy8 dO0KqkM9i03TrAD9C3j0aziIg3gDDjiFRzvlTwCqlx4CGQuDIQMxiEv7cGc4xv1U 03/I2FcgtHfldietel0ge7EMjtL6pURDFnbxEkviRG+IQpQngX7pTpvlV3YIBQUX oAalW1qb12DnZlNHWy5ybpYcJg2Emefjcoj0SqWkYw3M0M3IkL6+11Y2/lrijOEZ 5WxRxh7DCiiEesLHjK7ajVswPOs22lOkLFhHr2FTVgsSyxN6uOXRxwF81iac0a0K eGgVMorUetUkR6i68WkJiaNhO9YDUdjTPbVW9KEv5sS390IQ6P484IjkQct3Ld0d LnAKVJ3CaBqeE7QVCupNR+bMUBRm9ALc/FDZIFHdHtGSYXAk/asmoLtRwq6nRurk UecjZ2qzmo9dmdquVaRUCRA7YPAFmcd4eotc+Jfk9wr9W+3TaBowh1Hep9LL0Ssk bbTp0GQKgEY= =18+L -----END PGP SIGNATURE-----