OpenSSL vulnerabilities - June 2015
OpenSSL released a security advisory in June 2015 to announce multiple security vulnerabilities.
Denial of service and memory corruption
With regards to the recent OpenSSL updates to address CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792, Fortinet will update OpenSSL for the following products that contain the affected versions of OpenSSL:
- FortiOS 5.2.3 and earlier
- FortiManager 5.2.2 and earlier
- FortiAnalyzer 5.2.2 and earlier
- FortiMail 5.0.8/5.1.5/5.2.4 and earlier
- FortiAuthenticator (versions before 4.0)
- AscenLink 7.2.4 and earlier
- FortiRecorder 2.0 and earlier
- FortiWan 4.0.2 and earlier
- FortiClient Windows/Mac 5.2.3 and earlier
- FortiClient Android 5.2.5 and earlier
Fortinet believes the exploitability and risk in these issues are low or non-existent, but the following workarounds are suggested for customers unable to deploy an update when available:
CVE-2015-1788 workaround: Limit access to features that validates TLS client authentication with a certificate
CVE-2015-1789 workaround: Limit access to features that validates TLS client authentication with a certificate or which verify CRLs when used as a TLS client
CVE-2015-1790 workaround: Limit access to devices that can import PKCS7.
CVE-2015-1791 workaround : Fortinet products are not affected.
CVE-2015-1792 workaround: Limit access to features that handles S/MIME messages.
Special consideration for CVE-2015-4000 Logjam:
See FortiGuard bulletin FG-IR-15-013for details.
The following products must be upgraded to the updated versions:
- FortiOS 4.3.16, FortiOS 5.0.8 or above, FortiOS 5.2.3 or earlier
- FortiManager 5.0.9 or earlier
- FortiAnalyzer 5.0.9 or earlier
- FortiAP 5.0.8 or earlier
- AscenLink 7.2.3 or earlier
- FortiADC 4.2.0 or earlier
- FortiAuthenticator 3.1.0 or earlier
- FortiCache 3.0.0 or earlier
- FortiClient Windows/MAC 5.2.3 or earlier
- FortiClient iOS 5.2.1 or earlier
- FortiClient Android 5.2.6 or earlier
- FortiDDoS 4.1.5 or earlier
- FortiMail 4.3.10 or earlier
- FortiRecorder 2.0.1 or earlier
- FortiSandbox 2.0.0 or earlier
- FortiVoice Enterprise 3.0.6 or earlier
- FortiWeb 5.3.3 or earlier
- FSSO build 235 or earlier
For all products, please contact Fortinet TAC support for updates on the patched release current ETA.