PSIRT Advisory

Information Disclosure Vulnerability in OpenSSL (Heartbleed)

Description

An information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests.

Impact

Information Disclosure

Affected Products

FortiGate (FortiOS) 5.0.0 up to 5.0.6
FortiAuthenticator 2.2 and 3.x
FortiMail 4.3.x and 5.x
FortiVoice models 200D, 200D-T and VM
FortiRecorder
FortiADC D-Series models 1500D, 2000D and 4000D
FortiADC E-Series 3.x
Coyote Point Equalizer GX / LX 10.x
FortiDDoS B-series
FortiDNS
AscenLink v7.0 and v7.1-B5599

Solutions

FortiGate (FortiOS)
A software update for FortiOS 5 is available for download on the Fortinet support site at http://support.fortinet.com. This vulnerability is fixed in FortiOS version 5.0.7. Please note that FortiOS 4.3 (4.0MR3) and lower are not affected by this vulnerability.
FortiMail
Updated software is available for FortiMail 4.3 (4.0MR3), 5.0 and 5.1 (5.0MR1). This issue is fixed in versions 4.3.7, 5.0.5 and 5.1.2, which are available for download on the Fortinet support site.
FortiAuthenticator
This vulnerability is fixed in FortiAuthenticator version 3.0.2, which is available on the Fortinet support site. Customers running earlier versions of FortiAuthenticator are recommended to upgrade to version 3.0.2.
FortiRecorder
Update software is available on the Fortinet support site. This issue is fixed in FortiRecorder version 1.4.1.
FortiVoice
Updated software is available on the Fortinet support site under the FortiVoiceOS downloads. This vulnerability is fixed in version 3.0.1. Note that only FortiVoice 200D, 200D-T and VM products are affected.
FortiADC
Updated software for the FortiADC D-series is avilable on the Fortinet support site. This issue is fixed in version 3.2.2.
Updated software for the FortiADC E-series is also available on the Fortinet support site, under ForiADC-E downloads. This issue is fixed in version 3.2.3 of the E-series software.
Information on software fixes for Coyote Point products can be found in the following advisory:
http://www.coyotepoint.com/files/downloads/EqSecurityVulnerabilities.pdf
FortiDDoS
This vulnerability is fixed in FortiDDoS B-series software version 4.0.1, which is available for download on the Fortinet support site. Note that FortiDDoS A-series appliances are not affected.
AscenLink
A software fix for AscenLink is available in version 7.1-B5745, which is available on the Fortinet support site. For users with existing Xtera AscenLink systems still using firmware below V7.1 with Xtera Serial Numbers (AAAA-BBBB-CCCC-DDDD), or any issues accessing Fortinet Support, please contact ascenlink@fortinet.com.
FortiClient
FortiClient 5.x prior to 5.0.9 includes the affected OpenSSL libraries. While FortiClient does not respond to TLS heartbeats, Fortinet recommends that customers exercise caution and upgrade to FortiClient 5.0.9.
Workarounds
FortiGate customers may apply the IPS signature entitled "OpenSSL.TLS.Heartbeat.Information.Disclosure" to protect both FortiOS devices (via interface policies) and systems accessible through a FortiGate.
Please be sure to read the release notes when performing any software upgrade. Firmware release dates for other products are pending.
Last Updated: Monday April 21, 2:00PM Pacific Time