Fortigate 5.2 Vulnerability: SSH/SSL – Weak Encryptions

Known issue to:

FortiOS 5.2.x (can also apply to higher versions). But 5.4.x and later has already disabled weaker ciphers DES, RC4 and SSLv3, so Firewalls running on later version are less-prone to vulnerabilities.

 

 

Recommendations/Mitigations: 

What does strong encryption do?

Enabling the use of strong encryption will only allow strong ciphers such as:

  • AES
  • 3DES

and digest

  • SHA1

for HTTPS/SSH admin access.

When strong encryption is enabled, HTTPS is supported by the following web browsers:

  • Netscape 7.2 -8.0
  • Firefox
  • Microsoft Internet Explorer 7.0 – 8.0

Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.

How to enable strong encryption

On Fortigate, to enable Strong Encryption run the following CLI command:

config sys global
  set strong-crypto enable
  end

To ”’disable”’ Strong Encryption run the following CLI command:

config sys global set strong-crypto disable end

The default setting for strong-crypto is disabled.

The pros and cons of using strong encryption

If strong encryption is better, why is the default setting for it disabled?

This is because while using strong encryption is a good thing most of the time, its benefit is not an absolute benefit for all situations. In fact, there can be situations where there may be some unintended consequences and the encryption level may not be the first thing that comes to mind when troubleshooting.

Strong encryption means that it is harder for someone to crack the encryption and read the traffic, however, stronger levels of encryption require an increase in CPU usage. It takes more CPU cycles to encrypt a packet with a 256 bit than it does with a 40-bit key. This doesn’t make much difference when the CPU performance is usually about 30% of capacity, but when the CPU is already working at a high percentage of capacity, that little bit extra usage may push the CPU to the level that triggers the FortiGate to go into conserve mode. On the plus side, if you have a FortiGate unit that you think is too close to the threshold to risk adding any additional CPU usage, you don’t have to forgo enabling strong encryption on the other FortiGates in your network. Except for FortiGates working in HA, where the configuration will be synchronized automatically, the use of strong encryption on a FortiGate is independent of other devices.

Another aspect with a potential unwanted consequence is the browser support for its usage. While most current browsers are capable of supporting the higher levels of encryption, there may still be people using a browser that do not support it, and if access is dependent on HTTPS or SSH, then access may be denied.

These potential downsides to using strong encryption are unlikely, but they should be taken into consideration before enabling it.

http://cookbook.fortinet.com/increasing-the-encryption-level/

===

Steps: (For SSH and SSL)

1.  to change it to SSH V2.

–>Please configure the following , Supported SSH protocol versions, ciphers, and bit strengths include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1
config system global
set admin-ssh-v1 disable <—
end

2. to upgrade SSL V1 to higher one and encryption ciphers with a key length of at least 128 bits

config system global
set strong-crypto enable <——–
end

http://kb.fortinet.com/kb/microsites/search.docmd=displayKC&docType=kc&externalId=FD36913&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=8750383&stateId=0%200%2073422324 

If Firewall has SSL-VPN enabled:

config vpn ssl setting 

  set algorithm high
  set sslv3 disable
  set sslv2  disable

end

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s