FortiClient Vulnerability

OpenSSL CVE-2015-0285 Weak Encryption Vulnerability

Description

Severity: LowUnder certain conditions an OpenSSL 1.0.2 client can complete a handshake withan unseeded PRNG. The conditions are:and the user has not seeded manuallySSL_client_methodv23)PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).If the handshake succeeds then the client random that has been used will havebeen generated from a PRNG with insufficient entropy and therefore the outputmay be predictable.For example using the following command with an unseeded openssl will succeed onan unpatched platform:openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHAThis issue affects OpenSSL version: 1.0.2OpenSSL 1.0.2 users should upgrade to 1.0.2a.This issue was discovered and the fix was developed by Matt Caswell of theOpenSSL development team.