CVE-2014-8730 "Poodle for TLS" vulnerability

Impact Detail

Similar to the POODLE attack on SSLv3, an attack against certain implementations of the TLSv1 protocol may allow the plaintext of secure connections to be calculated by an attacker in a Man-in-the-Middle (MitM) position.

Affected Products

FortiOS 5.2.2, 5.2.1, 5.2.0, 5.0.10 and lower running on a hardware appliance when all the following conditions are met:
  • FortiGate models with accelerated CP processors
  • The SSL connection is using TLS v1.0, v1.1 or v1.2
  • The SSL ciphers are CBC
  • Only the following features are affected: virtual server with SSL, SSL offload, explicit-proxy SSL,
    transparent-proxy SSL, web-cache SSL, Wan Opt SSL and SIP SSL

All versions of Fortigate VM, FortiOS 5.4 branch, FortiOS 5.6 branch and next releases are not vulnerable.

Solutions

FortiOS 5.0 branch users must upgrade to 5.0.11 or higher.
FortiOS 5.2.0 branch customers must upgrade to 5.2.3 or higher.
The customers running FortiOS 5.2.2, 5.2.1, 5.2.0, 5.0.10 and lower under all conditions met as per the affected product section can apply the following workaround:
config system global
set virtual-server-hardware-acceleration disable
end
Note: The performance impact may be significant.
To protect devices with a FortiGate, the following IPS signature blocks any attack attempt and is available since IPS update 5.587: TLS.Padding.Oracle.Information.Disclosure