Sweet32 Birthday attack in TLS

Summary

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

https://nvd.nist.gov/vuln/detail/CVE-2016-2183
https://nvd.nist.gov/vuln/detail/CVE-2016-6329

Affected Products

FortiOS Web adminUI: 5.0.5 and below FortiOS Web adminUI: 5.0.5 and below FortiOS Web adminUI: 5.0.5 and below FortiOS SSL VPN Web Portal: 5.2.9 and below, 5.4.0, 5.4.1 FortiOS SSL VPN Web Portal: 5.2.9 and below, 5.4.0, 5.4.1 FortiOS SSL VPN Web Portal: 5.2.9 and below, 5.4.0, 5.4.1 FortiOS VIP, WANOpt, VoIP: 5.4.4 and below FortiOS VIP, WANOpt, VoIP: 5.4.4 and below FortiOS VIP, WANOpt, VoIP: 5.4.4 and below FortiOS webfilter override and authentication service: 5.4.8 and below, 5.6.0 to 5.6.3 FortiOS webfilter override and authentication service: 5.4.8 and below, 5.6.0 to 5.6.3 FortiOS webfilter override and authentication service: 5.4.8 and below, 5.6.0 to 5.6.3 FortiAP 6.0.0 and below FortiAP 6.0.0 and below FortiAP 6.0.0 and below FortiAnalyzer 5.2.9 and below, 5.4.0, 5.4.1, 5.4.6 and above for 5.4 branch, 6.0.2 FortiAnalyzer 5.2.9 and below, 5.4.0, 5.4.1, 5.4.6 and above for 5.4 branch, 6.0.2 FortiAnalyzer 5.2.9 and below, 5.4.0, 5.4.1, 5.4.6 and above for 5.4 branch, 6.0.2 FortiSwitch 3.6.7 and below, 6.0.0, 6.0.1 FortiSwitch 3.6.7 and below, 6.0.0, 6.0.1 FortiSwitch 3.6.7 and below, 6.0.0, 6.0.1 FortiClient EMS port 8013 in versions 7.0.8 and below, 7.2.0 FortiClient EMS port 8013 in versions 7.0.8 and below, 7.2.0 FortiClient EMS port 8013 in versions 7.0.8 and below, 7.2.0

Solutions

FortiOS Web adminUI: FortiOS Web adminUI: FortiOS Web adminUI: Upgrade to 5.0.6 and above and ensure following CLI command set: Upgrade to 5.0.6 and above and ensure following CLI command set: Upgrade to 5.0.6 and above and ensure following CLI command set: onfig system global onfig system global onfig system global set strong-crypto enable set strong-crypto enable set strong-crypto enable end end end FortiOS SSL VPN Web Portal: FortiOS SSL VPN Web Portal: FortiOS SSL VPN Web Portal: Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 and above and ensure following CLI command set: Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 and above and ensure following CLI command set: Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 and above and ensure following CLI command set: config vpn ssl settings config vpn ssl settings config vpn ssl settings set algorithm high set algorithm high set algorithm high end end end Alternative, start from FortiOS 5.4.1, using following CLI command can disable 3des ciphers: Alternative, start from FortiOS 5.4.1, using following CLI command can disable 3des ciphers: Alternative, start from FortiOS 5.4.1, using following CLI command can disable 3des ciphers: config vpn ssl settings config vpn ssl settings config vpn ssl settings set banned-cipher 3DES set banned-cipher 3DES set banned-cipher 3DES end end end FortiOS VIP, WANOpt, VoIP: FortiOS VIP, WANOpt, VoIP: FortiOS VIP, WANOpt, VoIP: pgrade to 5.4.5 and above and ensure following CLI command set: pgrade to 5.4.5 and above and ensure following CLI command set: pgrade to 5.4.5 and above and ensure following CLI command set: config wanopt settings config wanopt settings config wanopt settings et tunnel-ssl-algorithm high et tunnel-ssl-algorithm high et tunnel-ssl-algorithm high end end end config firewall ssl-server config firewall ssl-server config firewall ssl-server set ssl-algorithm high set ssl-algorithm high set ssl-algorithm high end end end config voip profile config voip profile config voip profile edit [profile-name] edit [profile-name] edit [profile-name] config sip config sip config sip set ssl-algorithm high set ssl-algorithm high set ssl-algorithm high end end end next next next end end end config firewall vip config firewall vip config firewall vip edit [vip-name] edit [vip-name] edit [vip-name] set type server-load-balance set type server-load-balance set type server-load-balance set server-type ssl set server-type ssl set server-type ssl set ssl-algorithm high set ssl-algorithm high set ssl-algorithm high next next next end end end config web-proxy explicit config web-proxy explicit config web-proxy explicit set ssl-algorithm high set ssl-algorithm high set ssl-algorithm high end end end FortiOS webfilter override and authentication service: FortiOS webfilter override and authentication service: FortiOS webfilter override and authentication service: Upgrade to 5.4.9 and above for 5.4 branch, 5.6.4 and above and ensure following CLI command set: Upgrade to 5.4.9 and above for 5.4 branch, 5.6.4 and above and ensure following CLI command set: Upgrade to 5.4.9 and above for 5.4 branch, 5.6.4 and above and ensure following CLI command set: config system global config system global config system global set strong-crypto enable set strong-crypto enable set strong-crypto enable end end end FortiAP: FortiAP: FortiAP: Upgrade to 6.0.1 and above Upgrade to 6.0.1 and above Upgrade to 6.0.1 and above FortiAnalyzer: FortiAnalyzer: FortiAnalyzer: Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 to 5.4.5*, 5.6.0 and above for 5.6 branch, 6.0.0, 6.0.1, 6.0.3* Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 to 5.4.5*, 5.6.0 and above for 5.6 branch, 6.0.0, 6.0.1, 6.0.3* Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 to 5.4.5*, 5.6.0 and above for 5.6 branch, 6.0.0, 6.0.1, 6.0.3* and above and ensure following CLI commands set: and above and ensure following CLI commands set: and above and ensure following CLI commands set: config system global config system global config system global set enc-algorithm high set enc-algorithm high set enc-algorithm high set ssl-low-encryption disable set ssl-low-encryption disable set ssl-low-encryption disable end end end * FortiAnalyzer 5.4 branch start from 5.4.6 still vulnerable to Sweet32 attack * * FortiAnalyzer 5.4 branch start from 5.4.6 still vulnerable to Sweet32 attack * * FortiAnalyzer 5.4 branch start from 5.4.6 still vulnerable to Sweet32 attack * FortiAnalyzer 6.0.2 still vulnerable to Sweet32 attack. FortiAnalyzer 6.0.2 still vulnerable to Sweet32 attack. FortiAnalyzer 6.0.2 still vulnerable to Sweet32 attack. FortiSwitch: FortiSwitch: FortiSwitch: Upgrade to 3.6.8 and above for 3.6 branch, 6.0.2 and above and ensure following CLI commands set: Upgrade to 3.6.8 and above for 3.6 branch, 6.0.2 and above and ensure following CLI commands set: Upgrade to 3.6.8 and above for 3.6 branch, 6.0.2 and above and ensure following CLI commands set: config sytem global config sytem global config sytem global set strong-crypto enable set strong-crypto enable set strong-crypto enable end end end FortiClientEMS FortiClientEMS FortiClientEMS Upgarde to EMS version 7.2.1 or above, 7.0.9 or above Upgarde to EMS version 7.2.1 or above, 7.0.9 or above Upgarde to EMS version 7.2.1 or above, 7.0.9 or above

References

• https://sweet32.info/