PSIRT Advisories

OpenSSL vulnerabilities - March 2015

Description

OpenSSL released a security advisory in March 2015 to announce multiple security vulnerabilities.

Impact Detail

The impact may vary depending on the affected product (see below).
There is no known public exploit for any of the mentioned CVE in the OpenSSL advisory.

Affected Products

FortiADC may be impacted by CVE-2015-0285 and CVE-2015-0291.
FortiOS 5.0.11 and 5.2.3 may be impacted by CVE-2015-0286 when the SSLVPN feature with a PKI user and client certificate is used.
FortiClient may be impacted by CVE-2015-289 and CVE-2015-0292.
Products that allows PKC#12 certificate to be imported by an administrator user may be impacted by CVE-2015-289.
Additionally:
CVE-2015-0207: no product impacted
CVE-2015-0208: no product impacted
CVE-2015-0209: no product impacted
CVE-2015-0287: no product impacted
CVE-2015-0288: no product impacted
CVE-2015-0290: no product impacted
CVE-2015-0293: no product impacted
CVE-2015-1787: no product impacted

Solutions

Regardless the exploitability (or lack thereof), all products embedding a vulnerable version of OpenSSL will be updated. The following list includes the products version that will embed a patched OpenSSL release:
  • FortiOS: 5.0.12 / 5.2.4 or above
  • FortiManager: 5.0.11 / 5.2.2 or above
  • FortiAnalyzer: 5.0.11 / 5.2.2 or above
  • FortiMail: 4.3.10 / 5.0.9 / 5.1.6 / 5.2.4 or above
  • FortiWeb: 5.3.5 or above
  • FortiAuthenticator: 3.3.1 / 4.0 or above
  • FortiClient: Windows/MAC 5.2.4, Android 5.2.6, iOS 5.2.1 or above
  • FortiRecorder: 2.0.1 / 2.1.1 or above
  • FortiVoice Enterprise: 3.0.6 / 4.0.1 / 4.1.0 or above
  • AscenLink: 7.2.3 or above
  • FortiADC: 4.2.2 or above
  • FortiAP: 5.2.4 or above

For all products, contact Fortinet TAC support to know the patched release current ETA.