PSIRT Advisory

OpenSSL vulnerabilities - June 2015


OpenSSL released a security advisory in June 2015 to announce multiple security vulnerabilities.


Denial of service and memory corruption


With regards to the recent OpenSSL updates to address CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792, Fortinet will update OpenSSL for the following products that contain the affected versions of OpenSSL:
  • FortiOS 5.2.3 and earlier
  • FortiManager 5.2.2 and earlier
  • FortiAnalyzer 5.2.2 and earlier
  • FortiMail 5.0.8/5.1.5/5.2.4 and earlier
  • FortiAuthenticator (versions before 4.0)
  • AscenLink 7.2.4 and earlier
  • FortiRecorder 2.0 and earlier
  • FortiWan 4.0.2 and earlier
  • FortiClient Windows/Mac 5.2.3 and earlier
  • FortiClient Android 5.2.5 and earlier

Fortinet believes the exploitability and risk in these issues are low or non-existent, but the following workarounds are suggested for customers unable to deploy an update when available:
CVE-2015-1788 workaround: Limit access to features that validates TLS client authentication with a certificate
CVE-2015-1789 workaround: Limit access to features that validates TLS client authentication with a certificate or which verify CRLs when used as a TLS client
CVE-2015-1790 workaround: Limit access to devices that can import PKCS7.
CVE-2015-1791 workaround : Fortinet products are not affected.
CVE-2015-1792 workaround: Limit access to features that handles S/MIME messages.
Special consideration for CVE-2015-4000 “Logjam”:
See FortiGuard bulletin FG-IR-15-013 The following products must be upgraded to the updated versions:
  • FortiOS 4.3.16, FortiOS 5.0.8 or above, FortiOS 5.2.3 or earlier
  • FortiManager 5.0.9 or earlier
  • FortiAnalyzer 5.0.9 or earlier
  • FortiAP 5.0.8 or earlier
  • AscenLink 7.2.3 or earlier
  • FortiADC 4.2.0 or earlier
  • FortiAuthenticator 3.1.0 or earlier
  • FortiCache 3.0.0 or earlier
  • FortiClient Windows/MAC 5.2.3 or earlier
  • FortiClient iOS 5.2.1 or earlier
  • FortiClient Android 5.2.6 or earlier
  • FortiDDoS 4.1.5 or earlier
  • FortiMail 4.3.10 or earlier
  • FortiRecorder 2.0.1 or earlier
  • FortiSandbox 2.0.0 or earlier
  • FortiVoice Enterprise 3.0.6 or earlier
  • FortiWeb 5.3.3 or earlier
  • FSSO build 235 or earlier

For all products, please contact Fortinet TAC support for updates on the patched release current ETA.