FortiOS 5.0.x before 5.0.12 and 5.2.x before 5.2.4 supports anonymous, export, RC4, and possibly other weak ciphers when using TLS to connect to FortiGuard servers, which allows man-in-the-middle attackers to spoof TLS content by modifying packets.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fortios | Fortinet | 5.0.0 (including) | 5.0.0 (including) |
| Fortios | Fortinet | 5.0.1 (including) | 5.0.1 (including) |
| Fortios | Fortinet | 5.0.2 (including) | 5.0.2 (including) |
| Fortios | Fortinet | 5.0.3 (including) | 5.0.3 (including) |
| Fortios | Fortinet | 5.0.4 (including) | 5.0.4 (including) |
| Fortios | Fortinet | 5.0.5 (including) | 5.0.5 (including) |
| Fortios | Fortinet | 5.0.6 (including) | 5.0.6 (including) |
| Fortios | Fortinet | 5.0.7 (including) | 5.0.7 (including) |
| Fortios | Fortinet | 5.0.8 (including) | 5.0.8 (including) |
| Fortios | Fortinet | 5.0.9 (including) | 5.0.9 (including) |
| Fortios | Fortinet | 5.0.10 (including) | 5.0.10 (including) |
| Fortios | Fortinet | 5.0.11 (including) | 5.0.11 (including) |
| Fortios | Fortinet | 5.2.0 (including) | 5.2.0 (including) |
| Fortios | Fortinet | 5.2.1 (including) | 5.2.1 (including) |
| Fortios | Fortinet | 5.2.2 (including) | 5.2.2 (including) |
| Fortios | Fortinet | 5.2.3 (including) | 5.2.3 (including) |
References
- http://fortiguard.com/advisory/2015-07-24-weak-ciphers-suites-are-presented-towards-fortiguard-servers
- http://www.fortiguard.com/advisory/FG-IR-15-021/
- http://www.securitytracker.com/id/1033092
- http://fortiguard.com/advisory/2015-07-24-weak-ciphers-suites-are-presented-towards-fortiguard-servers
- http://www.fortiguard.com/advisory/FG-IR-15-021/
- http://www.securitytracker.com/id/1033092