MichaelBalack
asked on
OpenSSL and SSLv3 issues on Fortigate firewall, how to resolve?
This is using few Fortigate 80C and 200B firewall. Recently, my network security team conducted a network equipment security scan and found the following "security breach" as follows:
2.9.On page 26 item: SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
Solution: Disable SSLv3 support to avoid this vulnerability
2.10 On page 27 item: SSL Server Supports Weak Encryption Vulnerability
Solution: Disable support for LOW encryption ciphers.
2.11 On page 29 item: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
Solution: This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability
1.5 On page 23 item: OpenSSL Memory Leak Vulnerability (Heartbleed Bug)
Solution: Update to Version 1.0.1g to resolve this issue. The latest version is available for download fromOpenSSL Web site (http://www.openssl.org/source/)
1.6 On page 25 item: OpenSSL Multiple Remote Security Vulnerabilities
Solution: Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h (http://www.openssl.org/related/binaries.html) or later to remediate this vulnerability
How to resolve the SSL issue? Appreciate any suggestion.
2.9.On page 26 item: SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
Solution: Disable SSLv3 support to avoid this vulnerability
2.10 On page 27 item: SSL Server Supports Weak Encryption Vulnerability
Solution: Disable support for LOW encryption ciphers.
2.11 On page 29 item: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
Solution: This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability
1.5 On page 23 item: OpenSSL Memory Leak Vulnerability (Heartbleed Bug)
Solution: Update to Version 1.0.1g to resolve this issue. The latest version is available for download fromOpenSSL Web site (http://www.openssl.org/source/)
1.6 On page 25 item: OpenSSL Multiple Remote Security Vulnerabilities
Solution: Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h (http://www.openssl.org/related/binaries.html) or later to remediate this vulnerability
How to resolve the SSL issue? Appreciate any suggestion.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Update to latest since you have to update. 10 steps process will not make users happy.
Yes for all to patch to latest and those stated ver in the extract are the bare minimal to close those specific vulnerability. For (b), you should patch as well. For (d), these are different vulnerabilities though it is all from OpenSSL itself.
As a whole it is always to go for the latest firmware and hotfixes. But do consider involving the infra team to make sure it is not a big bang and plan for sufficient downtime to test and even rollback, these likely required the FW to reboot and I hope you have the HA FW configuration if traffic cannot be make unavailable in any instance due to user requirement...
As a whole it is always to go for the latest firmware and hotfixes. But do consider involving the infra team to make sure it is not a big bang and plan for sufficient downtime to test and even rollback, these likely required the FW to reboot and I hope you have the HA FW configuration if traffic cannot be make unavailable in any instance due to user requirement...
ASKER
Thanks for both experts in pointing out upgrading the firmware and few suggested articles. After applying the required actions, network scan audit works perfectly. No security breach.
thanks for sharing
ASKER
Thanks for your suggestions and articles.
Please see if I can understand fully on these 5 bugs:
a. (heartbleed bug)OpenSSL Memory Leak Vulnerability - Upgrade firmware to v5.0.7
b. (BEAST) SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability - to disable TLS/SSL v.30 on
client side. PCI scan must check for empty fragments
c. (POODLE) SSLv3 Padding Oracle Attack Information Disclosure Vulnerability - on fortigate, set strong-crypto enable
d. for other OpenSSL vulnerabilities, upgrade to 5.0.8? since v5.0.7 is needed to tackle Heartbleed, and avoid using
firmware between v4.3.0 and v5.0.6?
Appreciate your enlightening