PSIRT Advisories

FortiOS supports weak ciphers suites when connecting to Fortiguard servers

description-logo Description

When connecting to a FortiGuard server via TLS, FortiOS 5.2.3/5.0.11 and below is supporting multiple weak ciphers including anonymous, export and RC4.
Although FortiGuard servers are actually offering back strong ciphers only, an attacker in a "Man in the Middle" position may leverage FortiOS' acceptance of weak ciphers to decipher and tamper with the TLS connection.

Affected Products

FortiOS 5.2.0 to 5.2.3
FortiOS 5.0.0 to 5.0.11

Solutions

FortiOS (including with FIPS-CC licenses) must be upgraded to 5.0.12 or 5.2.4.

Acknowledgement

Thanks to the Citrix Security Team.