FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dblazevic
Staff
Staff
Article Id 193509
Description
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, also known as the "BEAST" (Browser Exploit Against SSL/TLS) attack. 
 
The BEAST attack is only applicable to TLS 1.0 with cipher suites using CBC mode. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected (for example, RC4 128).
 
The problem is essentially a client side issue, and all major web browsers (Firefox, Chrome, MSIE) have updated versions available for download, which fix this issue. However, even though it's a client side problem, the FortiOS firmware version 4.0 MR3 Patch 3 and higher, and the FortiOS firmware 5.0 has a counter measure for this attack (by using a method of sending empty fragments), if CBC cipher suites are used. Despite this counter measure, several customers using FortiOS firmware 4.0 MR3 Patch 3 and higher, and FortiOS version 5.0, have reported PCI audit failure, as the audit software indicated that a FortiGate unit, running these firmware versions, was detected as vulnerable to the BEAST attack.
 
If a FortiGate unit running FortiOS 4.0 MR3 Patch 3 and higher, or FortiOS 5.0 is detected to be vulnerable to the BEAST attack by a PCI audit software, it's almost certainly a false positive. The PCI scan probably simply checks, if the server will respond to SSL 3.0 or TLS 1.0. This test however is only sufficient to determine if a device might be vulnerable, but can not confirm with certainty, if the device is vulnerable. To identify, if the particular machine is really vulnerable to the BEAST attack, the PCI scan must check for empty fragments. If it can detect them, then the machine being tested is not vulnerable, if it does not detect them, then the machine is vulnerable.
 
FortiOS firmware version 4.0 MR3 Patch 3 and higher, and FortiOS version 5.0, uses empty fragments to protect from the BEAST attack.
 

Solution
On the technical side, there are following possibilities of the resolution:

1) Force RC4 128: As an alternative, force the use of RC4 (i.e. disable 3DES and AES) will also protect against this weakness. This could be seen as a work-around.

2) Using TLS 1.1/1.2: However, please note, that TLS 1.1 / TLS 1.2 are not in widespread adoption, and not all browsers might support them.

3) The most important corrective action to be done, is to patch the client (upgrade web browsers on user PCs).


What can be done on the FortiGate unit:

- running FortiOS firmware version 4.0 MR3:


Upgrade to MR3 Patch 3 or higher. From version 4.0 MR3 Patch3, FortiOS is sending empty fragments as counter measure to the BEAST attack. PCI audit alarms are false positives from this version above.

- running FortiOS firmware version 5.0:
 
In FortiOS version 5.0, TLS 1.0 can be completely disabled. Following facts demonstrate, however, that instead, as a preferred solution, the client side should be patched (web browsers upgraded), rather than disabling the TLS 1.0 on the firewall:
- Some older version of Internet Explorer do not support TLS 1.1.
- Default settings on MSIE 9 and MSIE 10 do not support TLS 1.1 or 1.2.



To disable the TLS 1.0 for the SSL VPN portal, the following CLI commands can be used:

conf vpn ssl settings
   set tlsv1-0 disable
end


Contributors