Last week Fortinet has released a critical PSIRT-Advisory “Improper check for certificate revocation vulnerability”
Unfortunately the article does not give exact information regarding the background or the solution and we couldn’t find further information about the issue, either. Maybe you have more information?
But Fortinet told us that they have released a Knowledge Base article which gives you more information about the solution.
We hope that helps!
UPDATE – July 29th:
Fortinet has released an blog article were Fortinet give some more information of what has happened: https://www.fortinet.com/blog/business-and-technology/fortinet-announces-mitigation-solutions-and-patch-update.html
UPDATE – July 31st:
The PSIRT advisory states that “the software should be updated manually … and install it on your device (via tftp, USB drive, etc.).”. This leads to some confusion if a “normal” firmware upgrade via WebUI is working, as well. Fortinet Support confirms that an Firmware Upgrade via WebUI is absolutely ok, to fix the issue. A firmware upload via TFTP is not necessary.
Same for the IPS signature: the Fortinet Blog article says: “It’s also worth noting that customers installing software and threat definition updates to FortiOS via manual downloads from https://support.fortinet.com will not be impacted by this potential issue.” It’s not correct that you have to download the IPS Signature manually – they will be updated through the normal schedule update process. But it’s important that the right IPS signature is used in an IPS sensor, which in turn is used in the firewall policies. Just downlaoding the IPS signature does not help at all. But this procedure is cleary described in the KB-article from Fortinet.
