Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1905 "POODLE has friends" vulnerability 22 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Publisher: FortiGuard Operating System: Network Appliance Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-4558 Original Bulletin: http://www.fortiguard.com/advisory/FG-IR-15-016/ - --------------------------BEGIN INCLUDED TEXT-------------------- "POODLE has friends" vulnerability Info Risk 1 Info Date Jul 15 2015 Impact Man in the middle The SSL-VPN feature of FortiOS 4.3.12 and lower only checks the first byte of the TLS MAC in the finished message. An attacker may intercept encrypted packets in transit and modifying their contents by changing the middle or the end of the MAC field in the TLS finished message. Impact A remote attacker may be able to modify the contents of an encrypted TLS packet without detection of the modifications when the SSL-VPN feature is configured. Fortinet is not aware of any exploit in the wild. Affected Products FortiOS 4.3.12 and lower. Solutions Customers using the SSL-VPN feature and running FortiOS<= 4.3.12 must upgrade to FortiOS 4.3.13 / 5.0.x / 5.2.x. Acknowledgement Thanks to Yngve N. Pettersen for working with us to help protect customers. References https://vivaldi.net/en-US/blogs/entry/the-poodle-has-friends - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVa7zOH6ZAP0PgtI9AQITShAAoSnKm+F1rQfntKE4Kk9DApMS40F3v7NS ne0iJs1vCtnyFRcX/8CU24lyEgsf6NDE4Y+N8biqx7qeONbTcxD+YHBv8GOa2X2a yPz5fExRkanyTY/gEGSiaeEHY+LbuCUOc/56uj92oNXlCwa5XqXrgnyV1v+hcrEJ TeTFNsk3qOv8yRmeRYKEkVO5EcEOCcTtu7lwhD+b8LcWn4YEpxXeCEOGXVxwoMBA m2qM4IAstExfkr2GjZStDem7spFEF0/IlPAaEkttk0QKF7ytOcehQGDxN2XpjzPu Ygqc9FC3qmSX7ITk6fYIorCOkqvtyUCQ+UXCMi790OV3pRuJN8O+/xWxb6piqega ZDUZ8Ch/jVRE9fPVD/N6iEaOXrlJtpROonbS/wsL+K7U7Qxa9EzWglQ2KOMCSiCK cfSVulUFqk/IklAh7sdEcVkJ1od+x4k5Wq5Lb4LdO4/ZlZe1ODI/FLf3uVj3MSMf 3nFkURUjPflQ6Uder2rA4c7ndYp2CkbeEvWSilcD43DD9Wrij1d8ift/O12F1mKi 2S41FSd4XZiDaubPB0lc0lYOxyh7Bm/KhS7m9oyLL4OUS0DFGuJPw6k4ddJKFLZv PYhhTM5mht93xqeF4E2l/ZPlAMmLMbVsWHvaaomk6nBD6A24FxAWsGh5PxwRJATB 3zspK0zHhiE= =LLHz -----END PGP SIGNATURE-----