Link to home
Start Free TrialLog in
Avatar of MichaelBalack
MichaelBalackFlag for Singapore

asked on

OpenSSL and SSLv3 issues on Fortigate firewall, how to resolve?

This is using few Fortigate 80C and 200B firewall. Recently, my network security team conducted a network equipment security scan and found the following "security breach" as follows:

           2.9.On page 26 item: SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
           Solution: Disable SSLv3 support to avoid this vulnerability
 
          2.10 On page 27 item: SSL Server Supports Weak Encryption Vulnerability
           Solution: Disable support for LOW encryption ciphers.
 
          2.11 On page 29 item: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
           Solution: This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability

         1.5 On page 23 item: OpenSSL Memory Leak Vulnerability (Heartbleed Bug)
           Solution: Update to Version 1.0.1g to resolve this issue. The latest version is available for download fromOpenSSL Web site (http://www.openssl.org/source/)
 
          1.6 On page 25 item: OpenSSL Multiple Remote Security Vulnerabilities
           Solution: Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h (http://www.openssl.org/related/binaries.html) or later to remediate this vulnerability
 
How to resolve the SSL issue? Appreciate any suggestion.
SOLUTION
Avatar of gheist
gheist
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MichaelBalack

ASKER

Hi btan,

Thanks for your suggestions and articles.

Please see if I can understand fully on these 5 bugs:

     a. (heartbleed bug)OpenSSL Memory Leak Vulnerability - Upgrade firmware to v5.0.7
     b. (BEAST) SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability - to disable TLS/SSL v.30 on
          client side. PCI scan must check for empty fragments
     c. (POODLE) SSLv3 Padding Oracle Attack Information Disclosure Vulnerability - on fortigate, set strong-crypto enable
     d. for other OpenSSL vulnerabilities, upgrade to 5.0.8? since v5.0.7 is needed to tackle Heartbleed, and avoid using
         firmware between v4.3.0 and v5.0.6?

Appreciate your enlightening
Update to latest since you have to update. 10 steps process will not make users happy.
Avatar of btan
btan

Yes for all to patch to latest and those stated ver in the extract are the bare minimal to close those specific vulnerability. For (b), you should patch as well. For (d), these are different vulnerabilities though it is all from OpenSSL itself.

As a whole it is always to go for the latest firmware and hotfixes. But do consider involving the infra team to make sure it is not a big bang and plan for sufficient downtime to test and even rollback, these likely required the FW to reboot and I hope you have the HA FW configuration if traffic cannot be make unavailable in any instance due to user requirement...
Thanks for both experts in pointing out upgrading the firmware and few suggested articles. After applying the required actions, network scan audit works perfectly. No security breach.
thanks for sharing