Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1569 OpenSSL vulnerabilities - June 2015 16 June 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Fortinet FortiOS Fortinet FortiManager Fortinet FortiAnalyzer Fortiney FortiAP Fortinet AscenLink Fortinet ADC Fortinet FortiAuthenticator Fortinet FortiCache Fortinet FortiClient Fortinet FortiDDoS Fortinet FortiMail Fortinet FortiRecorder Fortinet FortiSandbox Fortinet FortiVoice Enterprise Fortinet FortiWeb Fortinet FSSO Publisher: FortiGuard Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 Reference: ESB-2015.1561 ESB-2015.1557 ESB-2015.1540 ESB-2015.1544.2 Original Bulletin: http://www.fortiguard.com/advisory/FG-IR-15-014/ - --------------------------BEGIN INCLUDED TEXT-------------------- OpenSSL vulnerabilities - June 2015 Info Risk Low Date Jun 11 2015 Impact Denial of service and memory corruption CVE ID CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792 OpenSSL released a security advisory in June 2015 to announce multiple security vulnerabilities, of low to moderate severity. There is no known public exploit for any of the mentioned CVE in the OpenSSL advisory. Affected products vary, depending on the CVE: DHE man-in-the-middle protection (Logjam): See FortiGuard bulletin FG-IR-15-013 for details. CVE-2015-1788: FortiOS is confirmed to use an affected version of OpenSSL, although no practical case of exploitation has been demonstrated so far. Other products are under investigation. CVE-2015-1789: FortiOS and FortiAuthenticator are confirmed to use an affected version of OpenSSL, although no practical case of exploitation has been demonstrated so far. Other products are under investigation. CVE-2015-1790: Under investigation. CVE-2015-1791: FortiOS and FortiClient are confirmed to use an affected version of OpenSSL, although no practical case of exploitation has been demonstrated so far. Other products are under investigation. CVE-2015-1792: FortiMail is confirmed to use an affected version of OpenSSL, although no practical case of exploitation has been demonstrated so far. Other products are under investigation. CVE-2014-8176: See solutions below. Impact Denial of service (CVE-2015-1788, CVE-2015-1789, CVE-2015-1792, CVE-2014-8176) and possible memory corruption (CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2014-8176). Solutions Regardless the exploitability (or lack thereof) of CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792, an OpenSSL upgrade will be scheduled for all products running a vulnerable version. CVE-2014-8176 consideration: The following products must be upgraded to the mentioned versions, which run a non-vulnerable OpenSSL version: FortiOS 4.3.16, FortiOS 5.0.8 or above, FortiOS 5.2.0 or above FortiManager 5.0.9 or above FortiAnalyzer 5.0.9 or above FortiAP 5.0.8 or above AscenLink 7.2.3 or above FortiADC 4.2.0 or above FortiAuthenticator 3.1.0 or above FortiCache 3.0.0 or above FortiClient Windows/MAC 5.2.3 or above FortiClient iOS 5.2.1 or above FortiClient Android 5.2.6 or above FortiDDoS 4.1.5 or above FortiMail 4.3.10 or above FortiRecorder 2.0.1 or above FortiSandbox 2.0.0 or above FortiVoice Enterprise 3.0.6 or above FortiWeb 5.3.3 or above FSSO build 235 or above For all products, please contact the Fortinet TAC support for updates on the patched release current ETA. References https://openssl.org/news/secadv_20150611.txt - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVX96PX6ZAP0PgtI9AQL7dRAAh23uU184H/w7ll4DK+5lFzpAIwcsI7bU kZAw7OPHViFH5TBbiixGYX+TBMn++gpLM41nR+J0+op6x4fdAFfyG6AqHnmoUKD2 06BsMv2gVPmzvQ4cIUmEhrbfpgnRHXV++tRGHplg5PYHyFMrdGlLts7Ef4vwez3c 9Z67RZcckR3OS1nnpspIvGe94ZeoMnndic/5W+i48BY0/KMFNHkEssMPDRZ7C01l wjyCfiGZCpHwN1PBP2IrNiITl8vbt3ngjZDew6fRbcBfZwM+BCC3OK1Ls4fSQ4yv f8RW9o4yn9qyd6uBuQH2rN1e1p3xzBJ2594k9AGM1z27ERe9C0c2G4oeLxa10iN5 1cP/HzwM+z5an1csMGHl3I7F6V4NwjUa4JPGqPt5qEoXQ8ABpKDqni7h2r0HXfQC ixXkCymcvSfB9llyjNqlZP9jtzoiCDRk0SJ/KwMmnlfldPlpZtDGJGYtS9egcZos nLYbQzMedLjppSLkd+lvRV6bMCTSgJy75aVBNynGim3PmSdJ4m2Vef8xndr394V3 AMqUEslVNqalIMHLzU/2UBWhmSTEXP091UrsplJzJaFL3MHJOvYDsCvh8cEj+WR3 W1jn+q5pAxfFPjUe3DP9vwFoUxj0pMakq2L1KUlPPT78hwlK79bYqvHbCWrmQX7m EEeXh1lR/9M= =OUki -----END PGP SIGNATURE-----