PSIRT Advisory

Sweet32 Birthday attack in TLS

Summary

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.


https://nvd.nist.gov/vuln/detail/CVE-2016-2183

Impact

Information Disclosure

Affected Products

FortiOS Web adminUI: 5.0.5 and below
FortiOS SSL VPN Web Portal: 5.2.9 and below, 5.4.0, 5.4.1
FortiOS VIP, WANOpt, VoIP: 5.4.4 and below
FortiOS webfilter override and authentication service: 5.4.8 and below, 5.6.0 to 5.6.3


FortiAP 6.0.0 and below
FortiAP-W2 5.4.5 and below, 5.6.0 to 5.6.3, 6.0.0


FortiAnalyzer 5.2.9 and below, 5.4.0, 5.4.1, 5.4.6 and above for 5.4 branch, 6.0.2


FortiSwitch 3.6.7 and below, 6.0.0, 6.0.1

Solutions

FortiOS Web adminUI: 

Upgrade to 5.0.6 and above and ensure following CLI command set:
config system global
set strong-crypto enable
end


FortiOS SSL VPN Web Portal: 

Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 and above and ensure following CLI command set:
config vpn ssl settings
set algorithm high
end
Alternative, start from FortiOS 5.4.1, using following CLI command can disable 3des ciphers:
config vpn ssl settings
set banned-cipher 3DES
end


FortiOS VIP, WANOpt, VoIP:

Upgrade to 5.4.5 and above and ensure following CLI command set:
config  wanopt  settings
set tunnel-ssl-algorithm high
end
config  firewall  ssl-server
set ssl-algorithm high
end
config voip profile
edit [profile-name]
config sip
set ssl-algorithm high
end
next
end
config firewall vip
edit [vip-name]
set type  server-load-balance
set server-type  ssl
set ssl-algorithm high
next
end
config  web-proxy explicit
set ssl-algorithm high
end


FortiOS webfilter override and authentication service:

Upgrade to 5.4.9 and above for 5.4 branch, 5.6.4 and above and ensure following CLI command set:
config system global
set strong-crypto enable
end


FortiAP Series:

FortiAP: Upgrade to 6.0.1 and above
FortiAP-W2: Upgrade to 5.4.6 and above for 5.4 branch, 5.6.4 and above for 5.6 branch and 6.0.1 and above


FortiAnalyzer:

Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 to 5.4.5*, 5.6.0 and above for 5.6 branch, 6.0.0, 6.0.1, 6.0.3* and above and ensure following CLI commands set:
config system global
set enc-algorithm high
set ssl-low-encryption disable
end 

* FortiAnalyzer 5.4 branch start from 5.4.6 still vulnerable to Sweet32 attack

* FortiAnalyzer 6.0.2 still vulnerable to Sweet32 attack.


FortiSwitch:

Upgrade to 3.6.8 and above for 3.6 branch, 6.0.2 and above and ensure following CLI commands set:
config sytem global
set strong-crypto enable
end


Revisions:
2019-02-07 Initial Version.
2019-03-05 FortiAP affected version and solution updated.
2019-03-07 Add FortiAP-W2 affected versions and solutions.