Heartbleed-Bug and Fortinet products

TC_Hessen · ‎04-08-2014

Hi, have a look at http://heartbleed.com/ - I made a test with some of our own Fortigates and with some of our customers and found, that they are affected. I tried to test the public ssl portals where valid ssl certificates have been installed. Can anyone check this please? A good site to run a test is http://possible.lv/tools/hb/

best regards, TC

rwpatterson · ‎04-16-2014

FYI, into my inbox this AM:

By now, many of you have heard of the Heartbleed bug, which is a recently disclosed vulnerability that was discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests. Despite the media hype about this vulnerability, it is worth calling out the facts. Not all Fortinet products were impacted by this bug. In fact, many of our products, such as our FortiWeb (WAF) products, were immune from day one. However, some of our product lines were affected. This includes: FortiGate (FortiOS) 5.0.0 up to 5.0.6 FortiAuthenticator 3.x FortiMail 4.3.x and 5.x FortiVoice models 200D, 200D-T and VM FortiRecorder FortiADC D-Series models 1500D, 2000D and 4000D FortiADC E-Series 3.x Coyote Point Equalizer GX / LX 10.x AscenLink v7.0 and v7.1-B5599 FortiDDoS 4.x FortiDNS Within hours of the discovery, our FortiGuard Labs product security (PSIRT) and security research teams began developing protections and releasing patches for a variety of Fortinet products. Our industry-leading security and threat researchers are well prepared to react to and protect our customers from threats such as Heartbleed, thanks to our existing critical update process. This process has been in place for nearly a decade. Our team is well equipped to analyze, develop, deploy and refactor critical IPS signatures within 48 hours of any breaking attack. Product Updates For FortiGate customers: A software update for FortiOS 5 is available for download on the support site at http://support.fortinet.com. This vulnerability is fixed in FortiOS version 5.0.7. Please note that FortiOS 4.3 (4.0MR3) and lower are not affected by this vulnerability. For FortiMail customers: Software updates for FortiMail 5.0 and 5.1 are now available at http://support.fortinet.com. This vulnerability is fixed in FortiMail versions 5.0.5 and 5.1.2. An update for FortiMail 4.3 will be released on Monday April 14th. For FortiVoice customers: Software updates for affected FortiVoice products will be released on or before Wednesday April 16th. Note that only FortiVoice 200D, 200D-T and VM products are affected. For FortiRecorder customers: An updated version of FortiRecorder software is now available on the Fortinet support site. This vulnerability is fixed in FortiRecorder version 1.4.1. For FortiADC and Coyote Point customers: Updates will be provided for FortiADC D-Series on or before Wednesday April 16th. The release timeline for FortiADC E-series and Coyote Point products can be found in the following advisory: http://www.coyotepoint.com/files/downloads/EqSecurityVulnerabilities.pdf For AscenLink customers: A software fix for AscenLink will be available in version 7.1-B5745, which will be available on the support site at http://support.fortinet.com on Tuesday, April 15th. For users with existing Xtera AscenLink systems still using firmware below V7.1 with Xtera Serial Numbers (AAAA-BBBB-CCCC-DDDD), or any issues accessing Fortinet Support, please contact ascenlink@fortinet.com. Firmware release dates for other products are pending. More information can be found here: http://www.fortiguard.com/advisory/FG-IR-14-011/ Protecting Against Heartbleed Attacks In addition to patching our own products in rapid succession, our FortiGuard Labs team developed an IPS signature to thwart potential Heartbleed attacks. Customers should make sure that they update their FortiGate IPS signatures in order to protect their network from Heartbleed-based attacks. The IPS signature was released in IPS update 4.476 and is named: " OpenSSL.TLOpenSSL.TLS.Heartbeat.Information.Disclosure" . On Friday, April 11, an additional out-of-band IPS update (4.480) was released to our customers providing additional protection under the same name against â€œreverse Heartbleedâ€ attacks. Customers must have a current/active FortiGuard service subscription to get this IPS signature. Additionally, FortiWeb (our web application firewall) provides 100% protection against Heartbleed. When a FortiWeb hardware or virtual appliance is deployed inline using either Reverse Proxy or Transparent Proxy modes it will automatically protect all applications behind the web application firewall from this OpenSSL exploit. In summary, Fortinet wants you to know that of the small number of products that were affected by Heartbleed, we have patched most of these; the remaining patches to be released very soon. More so, we are pleased to state that our FortiGate IPS signatures and FortiWeb products provide protection against Heartbleed. Our threat research team continues to monitor this vulnerability, and we will provide further updates through our FortiGuard blog and security advisories. Sincerely, Michael Xie Co-Founder and Chief Technology Officer Fortinet Phone: 1-866-868-3678 www.fortinet.com

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Chris_Hostetler · ‎04-16-2014

Ok, I am exposing my ignorance here. I followed the work around below. Shouldn' t I see this policy listed under DOS POlicy in the GUI? The following workarounds are available: 1. Apply the mitigating IPS signature to interface policies on affected FortiGate devices. The IPS signature was released in IPS update 4.476 and is named " OpenSSL.TLS.Heartbeat.Information.Disclosure" . Note that this will affect traffic destined to the FortiGate and transit traffic. Follow the steps below to configure the FortiGate firewall to use this signature: 1.1. Applying the signature to an IPS profile. Use the following syntax to create a new IPS profile. The new profile will reset SSL connections attempting to use the OpenSSL Heartbleed vulnerability. config ips sensor edit " ssl.heartbleed" config entries edit 1 set action reset set rule 38307 set status enable next end next end 1.2. Define an SSL services group. Note: This group is only provided as a sample service group. Include all SSL service ports that are applicable in your environment. config firewall service custom edit " SSLVPN" set tcp-portrange 10443 next end config firewall service group edit " SSL-Services" set member " HTTPS" " SSLVPN" next end 1.3. Apply this sensor to an interface policy (which applies to both local and transit traffic) or regular firewall policy (transit traffic only). Make sure the policy to which this sensor is applied is specific to SSL services. To apply an IPS signature to an interface policy, use the following steps: Note: this policy will protect the FortiGate itself on the WAN1 interface and all transit traffic arriving on the WAN1 interface for SSL services only. config firewall interface-policy edit 0 set interface " wan1" set srcaddr " all" set dstaddr " all" set service " SSL-Services" set ips-sensor-status enable set ips-sensor " ssl.heartbleed" next end

ShrewLWD · ‎04-16-2014

Hi Chris, If you did not fat-finger your request (not listed under DoS?), DoS is pretty much just a packet storm quencher, it doesn' t care about the characteristic of the packet. So you would not see this particular IPS rule listed there.

Chris_Hostetler · ‎04-17-2014

Thanks for the response Shrew, but where (if anywhere) would I see this new policy?

ShrewLWD · ‎04-17-2014

Do you have ' multiple security profiles' enabled? System->Config->Features