Info

Risk
5 Critical
Date
Apr 08 2014
Impact
Information Disclosure
CVE ID
CVE-2014-0160
Fixed In Firmware
FortiOS 5.0.7, FortiMail 4.3.7, FortiMail 5.0.5, FortiMail 5.1.2, FortiAuthenticator 3.0.2, FortiRecorder 1.4.1, FortiVoiceOS 3.0.1, FortiADC D-series 3.2.2, FortiADC E-series 3.2.3, FortiDDoS 4.0.1, AscenLink 7.1-B5745

Information Disclosure Vulnerability in OpenSSL (Heartbleed)


An information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests.

Impact

Under certain circumstances, exploitation of this vulnerability can result in the disclosure of sensitive information.

Affected Products

FortiGate (FortiOS) 5.0.0 up to 5.0.6
FortiAuthenticator 2.2 and 3.x
FortiMail 4.3.x and 5.x
FortiVoice models 200D, 200D-T and VM
FortiRecorder
FortiADC D-Series models 1500D, 2000D and 4000D
FortiADC E-Series 3.x
Coyote Point Equalizer GX / LX 10.x
FortiDDoS B-series
FortiDNS
AscenLink v7.0 and v7.1-B5599

Solutions

FortiGate (FortiOS)

A software update for FortiOS 5 is available for download on the Fortinet support site at http://support.fortinet.com. This vulnerability is fixed in FortiOS version 5.0.7. Please note that FortiOS 4.3 (4.0MR3) and lower are not affected by this vulnerability.

FortiMail

Updated software is available for FortiMail 4.3 (4.0MR3), 5.0 and 5.1 (5.0MR1). This issue is fixed in versions 4.3.7, 5.0.5 and 5.1.2, which are available for download on the Fortinet support site.

FortiAuthenticator

This vulnerability is fixed in FortiAuthenticator version 3.0.2, which is available on the Fortinet support site. Customers running earlier versions of FortiAuthenticator are recommended to upgrade to version 3.0.2.

FortiRecorder

Update software is available on the Fortinet support site. This issue is fixed in FortiRecorder version 1.4.1.

FortiVoice

Updated software is available on the Fortinet support site under the FortiVoiceOS downloads. This vulnerability is fixed in version 3.0.1. Note that only FortiVoice 200D, 200D-T and VM products are affected.

FortiADC

Updated software for the FortiADC D-series is avilable on the Fortinet support site. This issue is fixed in version 3.2.2.

Updated software for the FortiADC E-series is also available on the Fortinet support site, under ForiADC-E downloads. This issue is fixed in version 3.2.3 of the E-series software.

Information on software fixes for Coyote Point products can be found in the following advisory:
http://www.coyotepoint.com/files/downloads/EqSecurityVulnerabilities.pdf

FortiDDoS

This vulnerability is fixed in FortiDDoS B-series software version 4.0.1, which is available for download on the Fortinet support site. Note that FortiDDoS A-series appliances are not affected.

AscenLink

A software fix for AscenLink is available in version 7.1-B5745, which is available on the Fortinet support site. For users with existing Xtera AscenLink systems still using firmware below V7.1 with Xtera Serial Numbers (AAAA-BBBB-CCCC-DDDD), or any issues accessing Fortinet Support, please contact ascenlink@fortinet.com.

FortiClient

FortiClient 5.x prior to 5.0.9 includes the affected OpenSSL libraries. While FortiClient does not respond to TLS heartbeats, Fortinet recommends that customers exercise caution and upgrade to FortiClient 5.0.9.

Workarounds

FortiGate customers may apply the IPS signature entitled "OpenSSL.TLS.Heartbeat.Information.Disclosure" to protect both FortiOS devices (via interface policies) and systems accessible through a FortiGate.

Please be sure to read the release notes when performing any software upgrade. Firmware release dates for other products are pending.

Last Updated: Monday April 21, 2:00PM Pacific Time

References

http://heartbleed.com
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://www.us-cert.gov/ncas/alerts/TA14-098A