Main Vulnerability Database SB2019072302

SB2019072302 - TLS Padding Oracle in FortiOS SSL Deep Inspection

Published: July 23, 2019 Updated: July 23, 2019

Security Bulletin ID SB2019072302

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cryptographic issues (CVE-ID: CVE-2019-5592)

The vulnerability allows a remote attacker to decrypt HTTPS traffic.

The vulnerability exists due to presence of multiple padding oracle vulnerabilities in the CBC padding implementation of FortiOS when configured with SSL Deep Inspection policies and with the IPS sensor enabled. A remote attacker can perform man-in-the-middle (MitM) attack and decrypt HTTP traffic, passed via FortiGate.

The vulnerability affects the following IPS Engine versions:

IPS engine version 5.00000 to 5.00006
IPS engine version 4.00000 to 4.00036
IPS engine version 4.00200 to 4.00219
IPS engine version 3.00547 and below

Remediation

Install update from vendor's website.

References

https://fortiguard.com/psirt/FG-IR-19-145