Summary
Multiple Vulnerabilities in OpenSSL
Impact
CVE-2014-0224 may allow an attacker with a privileged network position (man-in-the-middle) to decrypt SSL encrypted communications.
CVE-2014-0221 may allow an attacker to crash a DTLS client with an invalid handshake.
CVE-2014-0195 can result in a buffer overrun attack by sending invalid DTLS fragments to an OpenSSL DTLS client or server.
CVE-2014-0198 and CVE-2010-5298 may allow an attacker to cause a denial of service under certain conditions, when SSL_MODE_RELEASE_BUFFERS
is enabled.
CVE-2014-3470 may allow an attacker to trigger a denial of service in SSL clients when anonymous ECDH ciphersuites are enabled. This issue
does not affect Fortinet products.
CVE-2014-0076 can be used to discover ECDSA nonces on multi-user systems by exploiting timing attacks in CPU L3 caches. This does not apply
to Fortinet products.
Solution
Upgrade to FortiGate 4.3.16 (build 686),5.2.0 (build 589),5.0.8 (build 291) or higher.
Affected
FortiGate < 4.3.16 (build 686),5.2.0 (build 589),5.0.8 (build 291)
Detection
Check the version
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-0195, CVE-2014-0221, CVE-2014-0224 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities