Disclosure Vulnerability in OpenSSL

-
An information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests.

Impact

Under certain circumstances, exploitation of this vulnerability can result in the disclosure of sensitive information.

=========================================================================

Solutions

A firmware update for FortiOS is available at http://support.fortinet.com. This vulnerability is fixed in FortiOS version 5.0.7.

Firmware updates for FortiAuthenticator, FortiMail and FortiRecorder will be available on Friday April 11th. Firmware release dates for other products are pending.

The following workarounds are available:

1. Apply the mitigating IPS signature to interface policies on affected FortiGate devices. The IPS signature was released in IPS update 4.476 and is named "OpenSSL.TLS.Heartbeat.Information.Disclosure". Note that this will affect traffic destined to the FortiGate and transit traffic. Follow the steps below to configure the FortiGate firewall to use this signature:

1.1. Applying the signature to an IPS profile.

Use the following syntax to create a new IPS profile. The new profile will reset SSL connections attempting to use the OpenSSL Heartbleed vulnerability.
config ips sensor
edit "ssl.heartbleed"
config entries
  edit 1
    set action reset
    set rule 38307
    set status enable
  next
end
next
end
1.2. Define an SSL services group.

Note: This group is only provided as a sample service group. Include all SSL service ports that are applicable in your environment.
config firewall service custom
  edit "SSLVPN"
    set tcp-portrange 10443
  next
end
config firewall service group
  edit "SSL-Services"
    set member "HTTPS" "SSLVPN"
  next
end
1.3. Apply this sensor to an interface policy (which applies to both local and transit traffic) or regular firewall policy (transit traffic only).

Make sure the policy to which this sensor is applied is specific to SSL services.

To apply an IPS signature to an interface policy, use the following steps:

Note: this policy will protect the FortiGate itself on the WAN1 interface and all transit traffic arriving on the WAN1 interface for SSL services only.
config firewall interface-policy
  edit 0
    set interface "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set service "SSL-Services"
    set ips-sensor-status enable
    set ips-sensor "ssl.heartbleed"
  next
end
2. Disable any vulnerable SSL services that are not mission critical.

Comments

Post a Comment

Popular posts from this blog

Upgrading the firmware on a standalone Fortigate unit or units in an HA cluster

-
Understanding upgrade paths: Each firmware version has an upgrade path requirement from older versions. Most of the time when you are in a MR (major release) patch level, you can upgrade straight to any patch level within the MR. ex: 1) currently, a fortigate unit is running 4.0 MR3 patch 3. 2) You wish to upgrade it to 4.0 MR3 patch 11. 3) You can simply upgrade it directly to 4.0 MR3 patch 11. Most of the time when you are upgrading from a MR to the next MR, you can upgrade straight to any patch level in the next MR as long as you are at the highest patch level in the lower/previous MR. ex: 1) currently, a fortigate unit is running 4.0 MR2 patch 3. 2) You wish to upgrade it to 4.0 MR3 patch 11. 3) You must first upgrade it to 4.0 MR2 patch 13 (highest 4.0 MR2 patch). 4) Then you can upgrade to 4.0 MR3 patch 11. You should ALWAYS refer to the release notes of the firmware release you wish to upgrade your unit. Even, for comfort, just open a ticket...
Read more

Traffic Shaping With Fortigate

-
FortiGate v4.0 Description This article describes the Traffic Shaping features that have been implemented in FortiOS 4.0 In FortiOS version 4.0, the traffic shaping has been enhanced. Diagnose commands allowing to verify each traffic shaper's usage and giving more configuration flexibility. See also the related articles at the end of this page for additional information. Solution Summary 1- Traffic shaping configuration is dissociated from the Firewall policies allowing multiple policies to use common configurations 2- Possibility to use independent configurations in policies for forward and reverse traffic directions 3- The P2P shaping capabilities are now defined at the application control level 4- Troubleshooting packet loss with statistics on traffic shaping configurations 5- Troubleshooting packet loss with the debug flow diagnose commands 6- Session list details with dual traffic shaper (forward and reverse traffic) 1- Traffic shaping configuration is di...
Read more