DescriptionSLOTH main concern is about to attack TLS 1.2 client authentication (The TLS server has a certificate list that are valid and the client must provide it) with RSA-MD5 as the chosen signature algorithm.
The following two important things noted in the paper must be considered:
- The TLS channel binding attacks is not a concern for FortiOS products
- The paper mentions IKE and SSH but it requires a chosen-prefix attack on SHA-1 which is still considered impractical as of today horses power hence FortiOS IKE/IPSec and SSH are not affected
FortiOS SSL/TLS libraries consider MD5 as a weak signature algorithm and both follow the RFC 5246 section 7.4.1.4.1 recommendations:
- FortiOS 5.0.2 and later are not affected as MD5 will never be negotiated
- FortiOS 5.2, 5.4 and future releases are not affected
Public research URL: http://www.mitls.org...s/attacks/SLOTH SolutionUpgrade to FortiOS 5.0.2 or later.