PSIRT Advisories
Sweet32 Birthday attack in TLS
Summary
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
Affected Products
FortiOS Web adminUI: 5.0.5 and below
FortiOS SSL VPN Web Portal: 5.2.9 and below, 5.4.0, 5.4.1
FortiOS VIP, WANOpt, VoIP: 5.4.4 and below
FortiOS webfilter override and authentication service: 5.4.8 and below, 5.6.0 to 5.6.3
FortiAP 6.0.0 and below
FortiAP-W2 5.4.5 and below, 5.6.0 to 5.6.3, 6.0.0
FortiAnalyzer 5.2.9 and below, 5.4.0, 5.4.1, 5.4.6 and above for 5.4 branch, 6.0.2
FortiSwitch 3.6.7 and below, 6.0.0, 6.0.1
Solutions
FortiOS Web adminUI:
Upgrade to 5.0.6 and above and ensure following CLI command set:
config system global
set strong-crypto enable
end
FortiOS SSL VPN Web Portal:
Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 and above and ensure following CLI command set:
config vpn ssl settings
set algorithm high
end
Alternative, start from FortiOS 5.4.1, using following CLI command can disable 3des ciphers:
config vpn ssl settings
set banned-cipher 3DES
end
FortiOS VIP, WANOpt, VoIP:
Upgrade to 5.4.5 and above and ensure following CLI command set:
config wanopt settings
set tunnel-ssl-algorithm high
end
config firewall ssl-server
set ssl-algorithm high
end
config voip profile
edit [profile-name]
config sip
set ssl-algorithm high
end
next
end
config firewall vip
edit [vip-name]
set type server-load-balance
set server-type ssl
set ssl-algorithm high
next
end
config web-proxy explicit
set ssl-algorithm high
end
FortiOS webfilter override and authentication service:
Upgrade to 5.4.9 and above for 5.4 branch, 5.6.4 and above and ensure following CLI command set:
config system global
set strong-crypto enable
end
FortiAP Series:
FortiAP: Upgrade to 6.0.1 and above
FortiAP-W2: Upgrade to 5.4.6 and above for 5.4 branch, 5.6.4 and above for 5.6 branch and 6.0.1 and above
FortiAnalyzer:
Upgrade to 5.2.10 and above for 5.2 branch, 5.4.2 to 5.4.5*, 5.6.0 and above for 5.6 branch, 6.0.0, 6.0.1, 6.0.3* and above and ensure following CLI commands set:
config system global
set enc-algorithm high
set ssl-low-encryption disable
end
* FortiAnalyzer 5.4 branch start from 5.4.6 still vulnerable to Sweet32 attack
* FortiAnalyzer 6.0.2 still vulnerable to Sweet32 attack.
FortiSwitch:
Upgrade to 3.6.8 and above for 3.6 branch, 6.0.2 and above and ensure following CLI commands set:
config sytem global
set strong-crypto enable
end
Revisions:
2019-02-07 Initial Version.
2019-03-05 FortiAP affected version and solution updated.
2019-03-07 Add FortiAP-W2 affected versions and solutions.