PSIRT Advisory

TLS FREAK Attack

Description

FREAK is an attack on SSL/TLS, which allows "Man in the Middle" attackers to decipher and alter HTTPS connections between a server supporting "export-grade" cipher suites and a vulnerable client.
It consists in downgrading the connection's encryption from "strong" RSA to "export-grade" RSA, by leveraging a vulnerability (CVE-2015-0204) on the client side.
The "export-grade" encryption is weak enough to be broken by the attacker, who can then decipher and alter the connection.

Impact

Information disclosure

Affected Products

Affected products:
FortiOS 5.2.2 and earlier allow SSL connections that pass-through the SSLVPN web-mode feature with export-grade ciphers if remote HTTPS end servers are vulnerable to FREAK.
Other FortiOS features are not affected by TLS FREAK.
FortiMail all versions, in its default configuration (see solutions below).
Products confirmed not affected:
AscenLink
FortiADC
FortiAnalyzer
FortiAuthenticator
FortiCache
FortiClient
FortiDB
FortiDDoS
FortiManager
FortiSandbox
FortiVoice
FortiWeb

Solutions

FortiGate
Upgrade to FortiOS 5.2.3 / 5.0.11
For FortiOS 4.3.x, 5.0.x, 5.2.0 and 5.2.1, a full workaround consists in enabling strong-crypto:
config system global      set strong-crypto enable  end 
For FortiOS 5.2.2, a workaround for customers using the FortiGate SSL-VPN portal web mode feature should verify the HTTPS websites that are allowed through the bookmarks and connection info widgets.
Verification steps:
Bookmarks: Go to VPN > SSL > Portal menu and check HTTPS bookmarks in SSLVPN profiles that offer web mode.
Connection info: Review the destination addresses included in the firewall policies with an SSL-VPN portal in web mode assigned.
If one or more HTTPS websites are not patched against the FREAK vulnerability, Fortinet PSIRT advise customers to disable bookmark or restrict the allowed destination addresses in order to remove access to vulnerable remote web servers.
FortiGate IPS signature
FortiGate can protect SSL connections against the downgrade attack.
Make sure the IPS signature called SSL.RSA.Temporary.Key.Security.Bypass is enabled. It is available in IPS update 5.619.
FortiMail
The following command must be set to prevent weak ciphers to be negotiated on FortiMail with default configuration:
config system globalset strong-crypto enableend