TLS Session Renegotiation vulnerability

Report Inappropriate Content · ‎07-07-2010

Anybody know if its possible to turn off SSL/TLS session renegotiation in a Fortigate 50B or if there is a firmware that includes the new renegotiation protocol that isn' t vulnerable to a MITM attack? My PCI vulnerability scan found this vulnerability on my SSL VPN port but I imagine its also there if you use remote administration. I tested it using some other tools as well and its definitely using the vulnerable protocol. Cn' t find anything in the CLI manual on how to turn off renegotiation. I' ve opened a ticket but it looks like support is seriously backlogged and it hasn' t been assigned to anyone for 3 business days now. This vulnerability has been around for over 6 months now with a lot of press so I' m surprised I couldn' t find anything in the knowledgebase or here on the forum about a mitigation or fix for the Fortigates.

Carl_Wallmark · ‎07-07-2010

try to do a web chat with support !

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

Report Inappropriate Content · ‎07-07-2010

I did that first and was told its probably in the CLI manual which I had already looked at. Then I was told to open a ticket. I' m on 8x5 support so no phone option though I' ll probably call in to complain about missing the 2 business day SLA.

Report Inappropriate Content · ‎07-08-2010

Finally got a response: There has a bug reported for this issue - TLS Session Renegotiation Vulnerability. The ETA for this bug fix is not determined yet. However, development is working on the patches to have more recent release of OpenSSL implemented in the FortiOS. Yeow. Most vendors fixed this vulnerability 3 or 4 months ago. Its a bit disconcerting to find out my security appliance vendor is so far behind in fixing such a well publicized vulnerability. I' ll have to shut off the SSL VPN until its fixed to pass my PCI vulnerability scan.

ejhardin · ‎07-08-2010

FYI... Not that it will help you because you have a 50B but I was told by some dev' s that they have a special build that includes a newer version of openssl. Fortinet advised me that it fixed a openssl vulnerability (did not state which ones). On the fortinet image site go to fortiap/4.0/mr2/wireless controller. I did not see the 50B but would be interested to know if anyone else is running this fortigate image.

Report Inappropriate Content · ‎07-09-2010

Nice to hear they already have a build with a newer OpenSSL. So it may not take too long to get a fix.

Report Inappropriate Content · ‎09-10-2010

Great. Two months later and new firmware is released without a fix for this and not even a mention of it as a known issue in the release notes. Is it normal for Fortinet to ignore security vulnerabilities for months and months? Cisco, Sonicwall and others fixed this 6 months ago.

Report Inappropriate Content · ‎09-21-2010

I pinged support for an ETA and they say this won' t be fixed until 4.3! The claim is that it requires an architectural change. Cisco, Sonicwall and others fixed this six months ago with a simple update to the OpenSSL libraries to disable SSL session renegotiation. It sounds like it will be well over a year with a significant well-publicized vulnerability caused by the appliance that' s supposed to be securing my network before we see a fix. I' ve had to bring in my Sonicwall SSL-VPN appliance from home to provide SSL-VPN access as we can' t pass PCI vulnerability scans with the Fortigate SSL-VPN. This has got to be the worst response from a company whose job is security that I have ever seen in 30 years.

TLS Session Renegotiation vulnerability

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website