Operating System:

[Appliance]

Published:

16 June 2015

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2015.1569 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1569
                    OpenSSL vulnerabilities - June 2015
                               16 June 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Fortinet FortiOS
                   Fortinet FortiManager
                   Fortinet FortiAnalyzer
                   Fortiney FortiAP
                   Fortinet AscenLink
                   Fortinet ADC
                   Fortinet FortiAuthenticator
                   Fortinet FortiCache
                   Fortinet FortiClient
                   Fortinet FortiDDoS
                   Fortinet FortiMail
                   Fortinet FortiRecorder
                   Fortinet FortiSandbox
                   Fortinet FortiVoice Enterprise
                   Fortinet FortiWeb
                   Fortinet FSSO
Publisher:         FortiGuard
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1792 CVE-2015-1791 CVE-2015-1790
                   CVE-2015-1789 CVE-2015-1788 CVE-2014-8176

Reference:         ESB-2015.1561
                   ESB-2015.1557
                   ESB-2015.1540
                   ESB-2015.1544.2

Original Bulletin: 
   http://www.fortiguard.com/advisory/FG-IR-15-014/

- --------------------------BEGIN INCLUDED TEXT--------------------

OpenSSL vulnerabilities - June 2015

Info

Risk   Low 

Date   Jun 11 2015

Impact Denial of service and memory corruption

CVE ID CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, 
       CVE-2015-1791, CVE-2015-1792

OpenSSL released a security advisory in June 2015 to announce multiple 
security vulnerabilities, of low to moderate severity.

There is no known public exploit for any of the mentioned CVE in the OpenSSL 
advisory.

Affected products vary, depending on the CVE:

DHE man-in-the-middle protection (Logjam): See FortiGuard bulletin 
FG-IR-15-013 for details.

CVE-2015-1788: FortiOS is confirmed to use an affected version of OpenSSL, 
although no practical case of exploitation has been demonstrated so far. Other
products are under investigation.

CVE-2015-1789: FortiOS and FortiAuthenticator are confirmed to use an affected
version of OpenSSL, although no practical case of exploitation has been 
demonstrated so far. Other products are under investigation.

CVE-2015-1790: Under investigation.

CVE-2015-1791: FortiOS and FortiClient are confirmed to use an affected 
version of OpenSSL, although no practical case of exploitation has been 
demonstrated so far. Other products are under investigation.

CVE-2015-1792: FortiMail is confirmed to use an affected version of OpenSSL, 
although no practical case of exploitation has been demonstrated so far. Other
products are under investigation.

CVE-2014-8176: See solutions below.

Impact

Denial of service (CVE-2015-1788, CVE-2015-1789, CVE-2015-1792, CVE-2014-8176)
and possible memory corruption (CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, 
CVE-2014-8176).

Solutions

Regardless the exploitability (or lack thereof) of CVE-2015-1788, 
CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792, an OpenSSL 
upgrade will be scheduled for all products running a vulnerable version.

CVE-2014-8176 consideration:

The following products must be upgraded to the mentioned versions, which run a
non-vulnerable OpenSSL version:

FortiOS 4.3.16, FortiOS 5.0.8 or above, FortiOS 5.2.0 or above

FortiManager 5.0.9 or above

FortiAnalyzer 5.0.9 or above

FortiAP 5.0.8 or above

AscenLink 7.2.3 or above

FortiADC 4.2.0 or above

FortiAuthenticator 3.1.0 or above

FortiCache 3.0.0 or above

FortiClient Windows/MAC 5.2.3 or above

FortiClient iOS 5.2.1 or above

FortiClient Android 5.2.6 or above

FortiDDoS 4.1.5 or above

FortiMail 4.3.10 or above

FortiRecorder 2.0.1 or above

FortiSandbox 2.0.0 or above

FortiVoice Enterprise 3.0.6 or above

FortiWeb 5.3.3 or above

FSSO build 235 or above

For all products, please contact the Fortinet TAC support for updates on the 
patched release current ETA.

References

https://openssl.org/news/secadv_20150611.txt

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVX96PX6ZAP0PgtI9AQL7dRAAh23uU184H/w7ll4DK+5lFzpAIwcsI7bU
kZAw7OPHViFH5TBbiixGYX+TBMn++gpLM41nR+J0+op6x4fdAFfyG6AqHnmoUKD2
06BsMv2gVPmzvQ4cIUmEhrbfpgnRHXV++tRGHplg5PYHyFMrdGlLts7Ef4vwez3c
9Z67RZcckR3OS1nnpspIvGe94ZeoMnndic/5W+i48BY0/KMFNHkEssMPDRZ7C01l
wjyCfiGZCpHwN1PBP2IrNiITl8vbt3ngjZDew6fRbcBfZwM+BCC3OK1Ls4fSQ4yv
f8RW9o4yn9qyd6uBuQH2rN1e1p3xzBJ2594k9AGM1z27ERe9C0c2G4oeLxa10iN5
1cP/HzwM+z5an1csMGHl3I7F6V4NwjUa4JPGqPt5qEoXQ8ABpKDqni7h2r0HXfQC
ixXkCymcvSfB9llyjNqlZP9jtzoiCDRk0SJ/KwMmnlfldPlpZtDGJGYtS9egcZos
nLYbQzMedLjppSLkd+lvRV6bMCTSgJy75aVBNynGim3PmSdJ4m2Vef8xndr394V3
AMqUEslVNqalIMHLzU/2UBWhmSTEXP091UrsplJzJaFL3MHJOvYDsCvh8cEj+WR3
W1jn+q5pAxfFPjUe3DP9vwFoUxj0pMakq2L1KUlPPT78hwlK79bYqvHbCWrmQX7m
EEeXh1lR/9M=
=OUki
-----END PGP SIGNATURE-----