PSIRT Advisory

OpenSSL Security Advisory [26 Jan 2017]

Summary

The OpenSSL project released an advisory on Jan 26th, 2017, describing 3 Moderate, 1 Low severity vulnerabilities, as listed below: 

CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3730: Bad (EC)DHE parameters cause a client crash
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results

Impact

Denial of Service

Affected Products

FortiOS versions 5.4.5 and below are impacted by CVEs:

CVE-2017-3732
CVE-2016-7055

FortiAnalyzer versions 5.4.2 and below are impacted by CVEs:

CVE-2017-3731
CVE-2017-3732

FortSwitch versions 3.5.2 and below are impacted by CVEs:

CVE-2017-3731
CVE-2017-3732
CVE-2016-7055

FortiAP versions 5.4.2 and below are potentially impacted by these CVEs:

CVE-2017-3731
CVE-2016-7055

Solutions

For FortiOS: Upgrade to firmware version at least 5.4.6, 5.6.0
For FortiAnalyzer: Upgrade to firmware version at least 5.4.3 or 5.6.0
For FortiSwitch: Upgrade to firmware version at least 3.5.3 or 3.6.0
For FortiAP: Upgrade to firmware version at least 5.4.3 or 5.6.0