Fortinet OpenSSL Information Disclosure (Heartbleed)

High Nessus Plugin ID 73669

Synopsis

The remote host is affected by an information disclosure vulnerability.

Description

The firmware of the remote Fortinet host is running a version of OpenSSL that is affected by a remote information disclosure, commonly known as the 'Heartbleed' bug. A remote, unauthenticated, attacker could potentially exploit this vulnerability to extract up to 64 kilobytes of memory per request from the device.

Solution

Upgrade to a firmware version containing a fix for this vulnerability as referenced in the vendor advisory.

See Also

https://fortiguard.com/psirt/FG-IR-14-011

http://www.heartbleed.com

https://eprint.iacr.org/2014/140

https://www.openssl.org/news/vulnerabilities.html#2014-0160

https://www.openssl.org/news/secadv/20140407.txt

Plugin Details

Severity: High

ID: 73669

File Name: fortinet_FG-IR-14-011.nasl

Version: 1.11

Type: local

Family: Misc.

Published: 2014/04/11

Updated: 2018/11/15

Dependencies: 73522

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.4

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:fortinet:fortios

Required KB Items: Host/Fortigate/model, Host/Fortigate/version, Host/Fortigate/build

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/04/09

Vulnerability Publication Date: 2014/04/08

Exploitable With

Core Impact

Reference Information

CVE: CVE-2014-0160

BID: 66690

CERT: 720951

EDB-ID: 32745, 32764, 32791, 32998