DescriptionAn information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests.
Impact DetailUnder certain circumstances, exploitation of this vulnerability can result in the disclosure of sensitive information.
Affected ProductsFortiGate (FortiOS) 5.0.0 up to 5.0.6
FortiAuthenticator 2.2 and 3.x
FortiMail 4.3.x and 5.x
FortiVoice models 200D, 200D-T and VM
FortiADC D-Series models 1500D, 2000D and 4000D
FortiADC E-Series 3.x
Coyote Point Equalizer GX / LX 10.x
AscenLink v7.0 and v7.1-B5599
A software update for FortiOS 5 is available for download on the Fortinet support site at http://support.fortinet.com. This vulnerability is fixed in FortiOS version 5.0.7. Please note that FortiOS 4.3 (4.0MR3) and lower are not affected by this vulnerability.
Updated software is available for FortiMail 4.3 (4.0MR3), 5.0 and 5.1 (5.0MR1). This issue is fixed in versions 4.3.7, 5.0.5 and 5.1.2, which are available for download on the Fortinet support site.
This vulnerability is fixed in FortiAuthenticator version 3.0.2, which is available on the Fortinet support site. Customers running earlier versions of FortiAuthenticator are recommended to upgrade to version 3.0.2.
Update software is available on the Fortinet support site. This issue is fixed in FortiRecorder version 1.4.1.
Updated software is available on the Fortinet support site under the FortiVoiceOS downloads. This vulnerability is fixed in version 3.0.1. Note that only FortiVoice 200D, 200D-T and VM products are affected.
Updated software for the FortiADC D-series is avilable on the Fortinet support site. This issue is fixed in version 3.2.2.
Updated software for the FortiADC E-series is also available on the Fortinet support site, under ForiADC-E downloads. This issue is fixed in version 3.2.3 of the E-series software.
Information on software fixes for Coyote Point products can be found in the following advisory:
This vulnerability is fixed in FortiDDoS B-series software version 4.0.1, which is available for download on the Fortinet support site. Note that FortiDDoS A-series appliances are not affected.
A software fix for AscenLink is available in version 7.1-B5745, which is available on the Fortinet support site. For users with existing Xtera AscenLink systems still using firmware below V7.1 with Xtera Serial Numbers (AAAA-BBBB-CCCC-DDDD), or any issues accessing Fortinet Support, please contact firstname.lastname@example.org.
FortiClient 5.x prior to 5.0.9 includes the affected OpenSSL libraries. While FortiClient does not respond to TLS heartbeats, Fortinet recommends that customers exercise caution and upgrade to FortiClient 5.0.9.
FortiGate customers may apply the IPS signature entitled "OpenSSL.TLS.Heartbeat.Information.Disclosure" to protect both FortiOS devices (via interface policies) and systems accessible through a FortiGate.
Please be sure to read the release notes when performing any software upgrade. Firmware release dates for other products are pending.
Last Updated: Monday April 21, 2:00PM Pacific Time