PSIRT Advisory

OpenSSL vulnerabilities - March 2015

Description

OpenSSL released a security advisory in March 2015 to announce multiple security vulnerabilities.

Impact

Denial of service and memory corruption

Affected Products

FortiADC may be impacted by CVE-2015-0285 and CVE-2015-0291.
FortiOS 5.0.11 and 5.2.3 may be impacted by CVE-2015-0286 when the SSLVPN feature with a PKI user and client certificate is used.
FortiClient may be impacted by CVE-2015-289 and CVE-2015-0292.
Products that allows PKC#12 certificate to be imported by an administrator user may be impacted by CVE-2015-289.
Additionally:
CVE-2015-0207: no product impacted
CVE-2015-0208: no product impacted
CVE-2015-0209: no product impacted
CVE-2015-0287: no product impacted
CVE-2015-0288: no product impacted
CVE-2015-0290: no product impacted
CVE-2015-0293: no product impacted
CVE-2015-1787: no product impacted

Solutions

Regardless the exploitability (or lack thereof), all products embedding a vulnerable version of OpenSSL will be updated. The following list includes the products version that will embed a patched OpenSSL release:

  • FortiOS: 5.0.12 / 5.2.4 or above
  • FortiManager: 5.0.11 / 5.2.2 or above
  • FortiAnalyzer: 5.0.11 / 5.2.2 or above
  • FortiMail: 4.3.10 / 5.0.9 / 5.1.6 / 5.2.4 or above
  • FortiWeb: 5.3.5 or above
  • FortiAuthenticator: 3.3.1 / 4.0 or above
  • FortiClient: Windows/MAC 5.2.4, Android 5.2.6, iOS 5.2.1 or above
  • FortiRecorder: 2.0.1 / 2.1.1 or above
  • FortiVoice Enterprise: 3.0.6 / 4.0.1 / 4.1.0 or above
  • AscenLink: 7.2.3 or above
  • FortiADC: 4.2.2 or above
  • FortiAP: 5.2.4 or above

For all products, contact Fortinet TAC support to know the patched release current ETA.