| IR Number | FG-IR-17-137 |
| Date | Nov 3, 2017 |
| Severity |
Medium |
| CVSSv3 Score | 7.3 |
| Impact | Man-in-the-Middle (MitM) Attacks |
| CVE ID | CVE-2009-3555 |
| Affected Products |
FortiOS
:
5.6.0, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.12, 5.2.11, 5.2.10, 5.2.1, 5.2.0
|
| CVRF | Download |
Refine Search
PSIRT Advisories
FortiOS SSL Deep-Inspection possible Insecure Renegotiation
Summary
FortiOS SSL Deep-Inspection may enable insecure renegotiation between TLS clients and servers that support secure renegotiation, opening the door to potential Man-in-the-Middle attacks (CVE-2009-3555) against the TLS connection, where an attacker could inject arbitrary data in the connection (without however being able to decipher it).
The fix enables secure renegotiation on the SSL Deep-Inspection when both the client and server support it.
Affected Products
FortiOS 5.6.0
FortiOS 5.4.0 to 5.4.5
FortiOS 5.2.0 to 5.2.12
FortiOS 5.0 and below
Solutions
Upgrade to FortiOS 5.6.1, 5.4.6 or 5.2.13