Skip to main content
Jas
Jas
New Member
October 29, 2015
Question

OpenSSL.ChangeCipherSpec.Injection IPS Detection

  • October 29, 2015
  • 1 reply
  • 8320 views

After enabling IPS on my Fortigate 100D it detected an attack by OpenSSL.ChangeCipherSpec.Injection on an iPhone when trying to browse a remote Yahoo site.  The default action in the 'Default' IPS policy that I am using has 'Monitor All' set, so it's only monitoring this detection and not blocking it.  

 

What is the overall threat severity pertaining to this detection?  Would it be advisable to change the policy to block attacks like this, or is there a reason why the default action is to simply monitor and not block?  Since this was detected on an iPhone when it was browsing a remote Yahoo website that is not internal is there really any need to block this or would it be advisable to do so as a precaution? 

 

Any information is appreciated. 

 

Thank you

1 reply

emnoc
emnoc
New Member
October 29, 2015

You need to look at CVE-2014-0224 and determine your risk and rather to block or monitor. I believe you can search on fortiguard website for list of  CVEs also.

 

In a nutshell you need to determine if it's a positive and update the device version if it's not running the minimum versions.

 

 

Ken

 

gschmitt
gschmitt
New Member
October 30, 2015

emnoc wrote:

You need to look at CVE-2014-0224 and determine your risk and rather to block or monitor. I believe you can search on fortiguard website for list of  CVEs also.

 

In a nutshell you need to determine if it's a positive and update the device version if it's not running the minimum versions.

 

 

Ken

Just FYI: I keep getting these from multiple different iOS devices regularly while browsing facebook.

I think it's more of a false positive

Jas
JasAuthor
New Member
October 30, 2015

I was starting to think the same thing actually.  The iPhone in question is completely up to date with iOS 9.1 so there really isn't any newer updates to apply that would pertain to this.  This may be why the default action for this exploit is to simply monitor and not block. 

Terms & ConditionsAccessibility statement