Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jas
New Contributor

OpenSSL.ChangeCipherSpec.Injection IPS Detection

After enabling IPS on my Fortigate 100D it detected an attack by OpenSSL.ChangeCipherSpec.Injection on an iPhone when trying to browse a remote Yahoo site.  The default action in the 'Default' IPS policy that I am using has 'Monitor All' set, so it's only monitoring this detection and not blocking it.  

 

What is the overall threat severity pertaining to this detection?  Would it be advisable to change the policy to block attacks like this, or is there a reason why the default action is to simply monitor and not block?  Since this was detected on an iPhone when it was browsing a remote Yahoo website that is not internal is there really any need to block this or would it be advisable to do so as a precaution? 

 

Any information is appreciated. 

 

Thank you

4 REPLIES 4
emnoc
Esteemed Contributor III

You need to look at CVE-2014-0224 and determine your risk and rather to block or monitor. I believe you can search on fortiguard website for list of  CVEs also.

 

In a nutshell you need to determine if it's a positive and update the device version if it's not running the minimum versions.

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gschmitt
Valued Contributor

emnoc wrote:

You need to look at CVE-2014-0224 and determine your risk and rather to block or monitor. I believe you can search on fortiguard website for list of  CVEs also.

 

In a nutshell you need to determine if it's a positive and update the device version if it's not running the minimum versions.

 

 

Ken

Just FYI: I keep getting these from multiple different iOS devices regularly while browsing facebook.

I think it's more of a false positive

Jas
New Contributor

I was starting to think the same thing actually.  The iPhone in question is completely up to date with iOS 9.1 so there really isn't any newer updates to apply that would pertain to this.  This may be why the default action for this exploit is to simply monitor and not block. 

Jas
New Contributor

gschmitt wrote:

emnoc wrote:

You need to look at CVE-2014-0224 and determine your risk and rather to block or monitor. I believe you can search on fortiguard website for list of  CVEs also.

 

In a nutshell you need to determine if it's a positive and update the device version if it's not running the minimum versions.

 

 

Ken

Just FYI: I keep getting these from multiple different iOS devices regularly while browsing facebook.

I think it's more of a false positive

I was starting to think the same thing actually.  The iPhone in question is completely up to date with iOS 9.1 so there really isn't any newer updates to apply that would pertain to this.  This may be why the default action for this exploit is to simply monitor and not block.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors