[Fortinet] Information Disclosure Vulnerability in OpenSSL (Heartbleed)

An information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests.

image001 (2)

Impact

Under certain circumstances, exploitation of this vulnerability can result in the disclosure of sensitive information.

Affected Products 

FortiGate (FortiOS) 5.0.0 up to 5.0.6

FortiClient 5.x

FortiAuthenticator 3.x

FortiMail 4.3.x and 5.x

FortiVoice models 200D, 200D-T and VM

FortiRecorder

FortiADC D-Series models 1500D, 2000D and 4000D

FortiADC E-Series 3.x

Coyote Point Equalizer GX / LX 10.x

FortiDDoS 4.x

FortiDNS

AscenLink v6.5 and 7.0

Solutions

FortiGate Firewall: Upgrade to FortiOS 5.0.7. Please note that FortiOS 4.3 (4.0MR3) and lower are not affected by this vulnerability.

FortiAuthenticator: A software update for FortiAuthenticator is now available on the Fortinet Support site. This vulnerability is fixed in FortiAuthenticator version 3.0.2.

In case software upgrade is not possible – another workaround is available through IPS signature.

Apply the mitigating IPS signature to interface policies on affected FortiGate devices. The IPS signature was released in IPS update 4.476 and is named “OpenSSL.TLS.Heartbeat.Information.Disclosure”. { http://www.fortigaurd.com/advisory/FG-IR-14-011/}

Online OpenSSL vulnerability checker

https://lastpass.com/heartbleed/

Reference

http://heartbleed.com

http://www.fortigaurd.com/advisory/FG-IR-14-011/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://www.us-cert.gov/ncas/alerts/TA14-098A