OpenSSL and SSLv3 issues on Fortigate firewall, how to resolve?

This is using few Fortigate 80C and 200B firewall. Recently, my network security team conducted a network equipment security scan and found the following "security breach" as follows:

           2.9.On page 26 item: SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
           Solution: Disable SSLv3 support to avoid this vulnerability
 
          2.10 On page 27 item: SSL Server Supports Weak Encryption Vulnerability
           Solution: Disable support for LOW encryption ciphers.
 
          2.11 On page 29 item: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
           Solution: This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability

         1.5 On page 23 item: OpenSSL Memory Leak Vulnerability (Heartbleed Bug)
           Solution: Update to Version 1.0.1g to resolve this issue. The latest version is available for download fromOpenSSL Web site (http://www.openssl.org/source/)
 
          1.6 On page 25 item: OpenSSL Multiple Remote Security Vulnerabilities
           Solution: Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h (http://www.openssl.org/related/binaries.html) or later to remediate this vulnerability
 
How to resolve the SSL issue? Appreciate any suggestion.
LVL 1
MichaelBalackAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
BEAST you cannot resolve. It is mitigated client side.
For the rest you need to patch the system
0
btanExec ConsultantCommented:
Heartbleed -
This vulnerability is fixed in FortiOS version 5.0.7. Please note that FortiOS 4.3 (4.0MR3) and lower are not affected by this vulnerability.
http://www.fortiguard.com/advisory/FG-IR-14-011/

BEAST - Most important is client end disable SSLv3 (default settings on MSIE 9 and MSIE 10 do not support TLS 1.1 or 1.2) or patch to latest upgrade  ver
If a FortiGate unit running FortiOS 4.0 MR3 Patch 3 and higher, or FortiOS 5.0 is detected to be vulnerable to the BEAST attack by a PCI audit software, it's almost certainly a false positive. The PCI scan probably simply checks, if the server will respond to SSL 3.0 or TLS 1.0. This test however is only sufficient to determine if a device might be vulnerable, but can not confirm with certainty, if the device is vulnerable. To identify, if the particular machine is really vulnerable to the BEAST attack, the PCI scan must check for empty fragments. If it can detect them, then the machine being tested is not vulnerable, if it does not detect them, then the machine is vulnerable.
 
FortiOS firmware version 4.0 MR3 Patch 3 and higher, and FortiOS version 5.0, uses empty fragments to protect from the BEAST attack.
http://kb.fortinet.com/kb/documentLink.do?externalID=FD34165

POODLE - SSLv3 should also be disabled in client browsers end and in fact, FG can restrict from using SSLv3 (but client will fails unless they negotiate higher secure crypto algo
Although FortiGates, ..... are vulnerable in their default configuration, there is a CLI setting which disables SSLv3 E.g FortiOS - Apply the settings... and Other possibly enabled features:
For the HTTPS GUI:
    config system global  
    set strong-crypto enable  
    end  
http://www.fortiguard.com/advisory/SSL-v3--POODLE--Vulnerability/

More OPENSSL vul -
FortiOS 4.x and 5.x are affected by CVE-2014-0224 and CVE-2014-0195 (via CAPWAP service). In addition, FortiOS 5.x SSL VPN and HTTPS administration are vulnerable to CVE-2014-0198 and CVE-2010-5298.
Tentative release dates and updated software versions are shown below.

FortiOS/FortiGate/FortiWifi

4.3.16 (build 686), Released on 2014-06-30
5.2.0 (build 589), Released on 2014-06-16
5.0.8 (build 291), Released on 2014-07-28
http://www.fortiguard.com/advisory/FG-IR-14-018/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MichaelBalackAuthor Commented:
Hi btan,

Thanks for your suggestions and articles.

Please see if I can understand fully on these 5 bugs:

     a. (heartbleed bug)OpenSSL Memory Leak Vulnerability - Upgrade firmware to v5.0.7
     b. (BEAST) SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability - to disable TLS/SSL v.30 on
          client side. PCI scan must check for empty fragments
     c. (POODLE) SSLv3 Padding Oracle Attack Information Disclosure Vulnerability - on fortigate, set strong-crypto enable
     d. for other OpenSSL vulnerabilities, upgrade to 5.0.8? since v5.0.7 is needed to tackle Heartbleed, and avoid using
         firmware between v4.3.0 and v5.0.6?

Appreciate your enlightening
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

gheistCommented:
Update to latest since you have to update. 10 steps process will not make users happy.
0
btanExec ConsultantCommented:
Yes for all to patch to latest and those stated ver in the extract are the bare minimal to close those specific vulnerability. For (b), you should patch as well. For (d), these are different vulnerabilities though it is all from OpenSSL itself.

As a whole it is always to go for the latest firmware and hotfixes. But do consider involving the infra team to make sure it is not a big bang and plan for sufficient downtime to test and even rollback, these likely required the FW to reboot and I hope you have the HA FW configuration if traffic cannot be make unavailable in any instance due to user requirement...
0
MichaelBalackAuthor Commented:
Thanks for both experts in pointing out upgrading the firmware and few suggested articles. After applying the required actions, network scan audit works perfectly. No security breach.
0
btanExec ConsultantCommented:
thanks for sharing
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.