CVE-2019-5592

Name of the Vulnerable Software and Affected Versions FortiOS versions 3.547 and below FortiOS versions 4.000 through 4.036 FortiOS versions 4.200 through 4.219 FortiOS versions 5.000 through 5.006

Description The issue is related to multiple padding oracle vulnerabilities in the CBC padding implementation of the FortiOS IPS engine. These vulnerabilities may allow an attacker to decipher TLS connections going through the FortiGate via monitoring the traffic in a Man-in-the-middle position. The vulnerability is associated with a lack of protection for service data and can be exploited by a remote attacker to conduct a Man-in-the-middle attack and reveal protected information.

Recommendations For FortiOS versions 3.547 and below, update to a version that includes a fix for the CBC padding implementation vulnerabilities. For FortiOS versions 4.000 through 4.036, update to a version that includes a fix for the CBC padding implementation vulnerabilities. For FortiOS versions 4.200 through 4.219, update to a version that includes a fix for the CBC padding implementation vulnerabilities. For FortiOS versions 5.000 through 5.006, update to a version that includes a fix for the CBC padding implementation vulnerabilities. As a temporary workaround, consider disabling the SSL Deep Inspection policies and the IPS sensor to minimize the risk of exploitation.