After enabling IPS on my Fortigate 100D it detected an attack by OpenSSL.ChangeCipherSpec.Injection on an iPhone when trying to browse a remote Yahoo site. The default action in the 'Default' IPS policy that I am using has 'Monitor All' set, so it's only monitoring this detection and not blocking it.
What is the overall threat severity pertaining to this detection? Would it be advisable to change the policy to block attacks like this, or is there a reason why the default action is to simply monitor and not block? Since this was detected on an iPhone when it was browsing a remote Yahoo website that is not internal is there really any need to block this or would it be advisable to do so as a precaution?
Any information is appreciated.
Thank you
You need to look at CVE-2014-0224 and determine your risk and rather to block or monitor. I believe you can search on fortiguard website for list of CVEs also.
In a nutshell you need to determine if it's a positive and update the device version if it's not running the minimum versions.
Ken
PCNSE
NSE
StrongSwan
emnoc wrote:Just FYI: I keep getting these from multiple different iOS devices regularly while browsing facebook.You need to look at CVE-2014-0224 and determine your risk and rather to block or monitor. I believe you can search on fortiguard website for list of CVEs also.
In a nutshell you need to determine if it's a positive and update the device version if it's not running the minimum versions.
Ken
I think it's more of a false positive
I was starting to think the same thing actually. The iPhone in question is completely up to date with iOS 9.1 so there really isn't any newer updates to apply that would pertain to this. This may be why the default action for this exploit is to simply monitor and not block.
gschmitt wrote:emnoc wrote:Just FYI: I keep getting these from multiple different iOS devices regularly while browsing facebook.You need to look at CVE-2014-0224 and determine your risk and rather to block or monitor. I believe you can search on fortiguard website for list of CVEs also.
In a nutshell you need to determine if it's a positive and update the device version if it's not running the minimum versions.
Ken
I think it's more of a false positive
I was starting to think the same thing actually. The iPhone in question is completely up to date with iOS 9.1 so there really isn't any newer updates to apply that would pertain to this. This may be why the default action for this exploit is to simply monitor and not block.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1113 | |
759 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.