Fortinet opublikował aktualizację dla produktu FortiAuthenticator o numerze wersji 6.1.3. Nowa wersja oprogramowania ze względów bezpieczeństwa przynosi aktualizację komponentów – OpenLDAP, libxml2 oraz OpenSSL, co sprawia że sam FortiAuthenticator jest wolny od podatności CVE-2022-0778.

Rozwiązane problemy:

Bug ID	Description
803891	SAML peer certificate expiration issue and XML security issue.
791452	OpenSSL 1.1.1n – Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778).
800714	[3rd party component upgrade required for security reasons] FortiAuthenticator– OpenLDAP to 2.6.2.
837219	FortiAuthenticator-VM on same Hyper-V host cannot form HA A/A cluster after July 2022 Windows Updates.
814167	[3rd party component upgrade required for security reasons] FortiAuthenticator – libxml2 to 2.9.14.
861776	Upgrade OpenSSL from 1.1.1n to 1.1.1s, then again to 1.1.1t.

Common Vulnerabilities and Exposures

FortiAuthenticator is no longer vulnerable to the following CVE-Reference(s):

Bug ID	CVE references
791452	CVE-2022-0778

Znane problemy:

Bug ID	Description
694664	FortiAuthenticator Agent with group exclusion is throwing a COMException error when accessing AD to check group membership.
876897	FortiAuthenticator memory usage showing in the widget is not matching with memory usage from SNMP (facSysMemUsage).
869867	FortiAuthenticator SSO database is not updating on time when domain users switch from wireless to wired or vice versa.
877432	Selecting Cloud option for group membership on SAML SP and will display 500 error if we do not select an OAuth server.
566145	Usage Profile TIME USAGE=Time used is not triggering COA or disconnect request to FortiGate.
775006	Occasionally, multiple SMS are received after LDAP user import instead of just one.
780558	When creating CA certficiate debug logs sometimes show error.
814255	Custom RADIUS attributes disappear on HA secondary after failover and we get 500 crash when clicking the RADIUS policy.
816070	DB issue if power down during a short window when booting from the factory reset.
787852	TACACS+ attribute value pair for authorization services shows undefined entries.
843334	KVM model does not obey hypervisor soft restart/shutdown commands.
863635	FIDO users status bug on SAML.
866392	FortiAuthenticator GUI/captive portal access freezes and becomes unresponsive during peak hours.
868836	TACACS+ failed authentications not counting towards IP lockouts.
870678	Recovery password and recovery token fail to send alternative email address.
854050	It takes a long time for FortiAuthenticator to reflect active certificates in the GUI after successful SCEP enrollment request.
876703	Not able to view supported methods and available fields using /schema at the end of the endpoint.
878673	Certificate GUI filter by status times out when there are thousands of revoked certificates.
879570	Select All checkbox for Remote User Sync rule does not select all rules for Firefox without private window.
808748	Self-service portal password change fails for remote LDAP users if UPN format is used.
781832	Token bypass not working for FIDO enabled self-service portal.
743775	SCEP Get CA requests intermittently fail under high SCEP load.
857399	FortiAuthenticator fails send out COA disconnect to FortiGate.
868829	IP lockout not being logged in on FortiAuthenticator logs.
871533	Incorrect FIDO token does not count towards user lockout.
874285	Unable to use FortiAuthenticator images in System replacement messages.
837791	TACACS+ authentication fails when the authentication process takes long.
881296	SNMP v3 with non-ENG letter pass gives authentication failed.
876009	FortiAuthenticator ignores the groups filtering rules and send all SSO groups to FortiGate if FortiGate is configured with FQDN.
751108	FortiAuthenticator does not support admin OIDs from FORTINET-CORE-MIB properly.
801933	FortiAuthenticator as LDAP server; logs show LDAP_FAC in the Source IP field.
620127	Changing from maint-mode-no-sync to maint-mode-sync does not restore syncing.
873050	It show 403 Forbidden while do SAML authentication after OAuth succeeds.
755752	Power supplies show voltage input fault on both CLI and GUI.
865372	FortiNAC can overwhelm FortiAuthenticator with 'many’ TACACS+ logins on the same service account.
866709	Admin password recheck issues.
837728	Local services cannot use cert with >97 character subject length.
872920	Portal policy realms table values are in the wrong column.
861027	RADIUS attribute name should be only unique within the dictionary, not across all dictionaries.
861112	NTLM authentication does not work with child domain.
878665	500 error when launching a Smart Connect profile that contains a CSR for Android.
741765	REST API /api/v1/tacpluspolicyclient/ endpoint does not recognize policy_name or client_name parameters.
861557	FortiAuthenticator Remote User Sync rules – Set Group Filter not working if OU have special characters in name, e.g., ( , ) , +.
868810	FortiAuthenticator HA device with low priority is stays as primary.
842886	Upgrading FortiAuthenticator in HA-LB removes the MAC-address records form the LB node.
861611	Smart Connect for Android running on version 12 and 13 never installed the configuration profile.
871196	LDAP disconnects every few seconds.
838976	Windows log events in FSSO are dropping after some time.
873972	Single group is passed by FortiAuthenticator as an IdP when FIDO only authentication is used in SP settings.
882098	FortiAuthenticator HA is out of sync and web server crashes when clicking on Packet Capture with 500 Internal server error.
680776	AP HA secondary cannot change mgmt interface access configuration, and the option does not sync from the primary either.
875536	User account extension gives CSRF token missing or incorrect.
850023	HA Cluster not forming due to difference in the SmartConnect primary key name (upgrade path mismatch, but should work).

Notatki producenta: FortiAuthenticator 6.1.3

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiAuthenticator Fortinet