PSIRT Advisory

CVE-2014-8730 "Poodle for TLS" vulnerability

Impact

Information disclosure

Affected Products

FortiOS 5.2.2, 5.2.1, 5.2.0, 5.0.10 and lower running on a hardware appliance when all the following conditions are met:

• FortiGate models with accelerated CP processors
• The SSL connection is using TLS v1.0, v1.1 or v1.2
• The SSL ciphers are CBC
• Only the following features are affected: virtual server with SSL, SSL offload, explicit-proxy SSL,
  transparent-proxy SSL, web-cache SSL, Wan Opt SSL and SIP SSL

All versions of Fortigate VM, FortiOS 5.4 branch, FortiOS 5.6 branch and next releases are not vulnerable.

Solutions

FortiOS 5.0 branch users must upgrade to 5.0.11 or higher.
FortiOS 5.2.0 branch customers must upgrade to 5.2.3 or higher.
The customers running FortiOS 5.2.2, 5.2.1, 5.2.0, 5.0.10 and lower under all conditions met as per the affected product section can apply the following workaround:
config system global
set virtual-server-hardware-acceleration disable
end
Note: The performance impact may be significant.
To protect devices with a FortiGate, the following IPS signature blocks any attack attempt and is available since IPS update 5.587: TLS.Padding.Oracle.Information.Disclosure

References

• https://www.imperialviolet.org/2014/12/08/poodleagain.html