An information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests.
Impact :
Under certain circumstances, exploitation of this vulnerability can result in the disclosure of sensitive information.
Solutions :
A firmware update for FortiOS is available at http://support.fortinet.com
This vulnerability is fixed in FortiOS version 5.0.7.
Firmware updates for FortiAuthenticator, FortiMail and FortiRecorder will be available on Friday April 11th. Firmware release dates for other products are pending.
The following workarounds are available:
1. Apply the mitigating IPS signature to interface policies on affected FortiGate devices. The IPS signature was released in IPS update 4.476 and is named "OpenSSL.TLS.Heartbeat.Information.Disclosure". Note that this will affect traffic destined to the FortiGate and transit traffic. Follow the steps below to configure the FortiGate firewall to use this signature:
1.1. Applying the signature to an IPS profile.
Use the following syntax to create a new IPS profile. The new profile will reset SSL connections attempting to use the OpenSSL Heartbleed vulnerability.
1.2. Define an SSL services group.
Note: This group is only provided as a sample service group. Include all SSL service ports that are applicable in your environment.
1.3. Apply this sensor to an interface policy (which applies to both local and transit traffic) or regular firewall policy (transit traffic only).
Make sure the policy to which this sensor is applied is specific to SSL services.
To apply an IPS signature to an interface policy, use the following steps:
Note: this policy will protect the FortiGate itself on the WAN1 interface and all transit traffic arriving on the WAN1 interface for SSL services only.
2. Disable any vulnerable SSL services that are not mission critical.
Capture :
References :
http://www.fortiguard.com/advisory/FG-IR-14-011/
http://heartbleed.com
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://www.us-cert.gov/ncas/alerts/TA14-098A
Impact :
Under certain circumstances, exploitation of this vulnerability can result in the disclosure of sensitive information.
Solutions :
A firmware update for FortiOS is available at http://support.fortinet.com
This vulnerability is fixed in FortiOS version 5.0.7.
Firmware updates for FortiAuthenticator, FortiMail and FortiRecorder will be available on Friday April 11th. Firmware release dates for other products are pending.
The following workarounds are available:
1. Apply the mitigating IPS signature to interface policies on affected FortiGate devices. The IPS signature was released in IPS update 4.476 and is named "OpenSSL.TLS.Heartbeat.Information.Disclosure". Note that this will affect traffic destined to the FortiGate and transit traffic. Follow the steps below to configure the FortiGate firewall to use this signature:
1.1. Applying the signature to an IPS profile.
Use the following syntax to create a new IPS profile. The new profile will reset SSL connections attempting to use the OpenSSL Heartbleed vulnerability.
config ips sensor
edit "ssl.heartbleed"
config entries
edit 1
set action reset
set rule 38307
set status enable
next
end
next
end
1.2. Define an SSL services group.
Note: This group is only provided as a sample service group. Include all SSL service ports that are applicable in your environment.
config firewall service custom
edit "SSLVPN"
set tcp-portrange 10443
next
end
config firewall service group
edit "SSL-Services"
set member "HTTPS" "SSLVPN"
next
end
1.3. Apply this sensor to an interface policy (which applies to both local and transit traffic) or regular firewall policy (transit traffic only).
Make sure the policy to which this sensor is applied is specific to SSL services.
To apply an IPS signature to an interface policy, use the following steps:
Note: this policy will protect the FortiGate itself on the WAN1 interface and all transit traffic arriving on the WAN1 interface for SSL services only.
config firewall interface-policy
edit 0
set interface "wan1"
set srcaddr "all"
set dstaddr "all"
set service "SSL-Services"
set ips-sensor-status enable
set ips-sensor "ssl.heartbleed"
next
end
2. Disable any vulnerable SSL services that are not mission critical.
Capture :
References :
http://www.fortiguard.com/advisory/FG-IR-14-011/
http://heartbleed.com
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://www.us-cert.gov/ncas/alerts/TA14-098A
Tidak ada komentar:
Posting Komentar